Edit tour

Windows Analysis Report
SOA-Al Daleel.exe

Overview

General Information

Sample name:	SOA-Al Daleel.exe
Analysis ID:	1467074
MD5:	487de74e533bec62ad60b71ed4990b14
SHA1:	68816bdb2128901d938adee5bbbdcfe9ad710bf1
SHA256:	4d7a7d2b1e9422eae20449218fc515b1e526d03f1bbf0d371ad4ffbcb13a51b4
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: MSBuild connects to smtp port

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SOA-Al Daleel.exe (PID: 7508 cmdline: "C:\Users\user\Desktop\SOA-Al Daleel.exe" MD5: 487DE74E533BEC62AD60B71ED4990B14)

powershell.exe (PID: 7732 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eeXxnIpy.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8044 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7764 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eeXxnIpy" /XML "C:\Users\user\AppData\Local\Temp\tmp2314.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 7896 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 7904 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 7912 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

eeXxnIpy.exe (PID: 8016 cmdline: C:\Users\user\AppData\Roaming\eeXxnIpy.exe MD5: 487DE74E533BEC62AD60B71ED4990B14)

schtasks.exe (PID: 8152 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eeXxnIpy" /XML "C:\Users\user\AppData\Local\Temp\tmp2F78.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 5960 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "naz@itc-ib.net", "Password": "*SGCViVH2@@@@11$#4%%   "}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000A.00000002.1366722684.0000000003020000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000F.00000002.2566283854.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.1363137995.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1363137995.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.1398049009.0000000004450000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.1398049009.0000000004450000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000F.00000002.2566283854.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.2566283854.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.1366722684.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1366722684.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.1351009324.00000000041BF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1351009324.00000000041BF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SOA-Al Daleel.exe PID: 7508	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SOA-Al Daleel.exe PID: 7508	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SOA-Al Daleel.exe PID: 7508	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: MSBuild.exe PID: 7912	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 7912	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: eeXxnIpy.exe PID: 8016	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: eeXxnIpy.exe PID: 8016	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: eeXxnIpy.exe PID: 8016	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: MSBuild.exe PID: 5960	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 5960	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.MSBuild.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.MSBuild.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.MSBuild.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334a3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33515:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3359f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33631:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3369b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3370d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337a3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33833:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.eeXxnIpy.exe.448aa90.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.eeXxnIpy.exe.448aa90.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.eeXxnIpy.exe.448aa90.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316a3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31715:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3179f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31831:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3189b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3190d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319a3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a33:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.SOA-Al Daleel.exe.41f9a78.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.SOA-Al Daleel.exe.41f9a78.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.SOA-Al Daleel.exe.41f9a78.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316a3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31715:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3179f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31831:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3189b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3190d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319a3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a33:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.eeXxnIpy.exe.448aa90.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.eeXxnIpy.exe.448aa90.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.eeXxnIpy.exe.448aa90.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334a3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6dcc3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33515:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dd35:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3359f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6ddbf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33631:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6de51:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3369b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6debb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3370d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6df2d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337a3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6dfc3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33833:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e053:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.SOA-Al Daleel.exe.41f9a78.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.SOA-Al Daleel.exe.41f9a78.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.SOA-Al Daleel.exe.41f9a78.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.SOA-Al Daleel.exe.41f9a78.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334a3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6dcc3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33515:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dd35:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3359f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6ddbf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33631:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6de51:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3369b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6debb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3370d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6df2d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337a3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6dfc3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33833:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e053:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 11 entries

Sigma Signatures

Networking

Sigma detected: MSBuild connects to smtp port

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 208.91.199.223, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7912, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49708

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eeXxnIpy.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eeXxnIpy.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SOA-Al Daleel.exe", ParentImage: C:\Users\user\Desktop\SOA-Al Daleel.exe, ParentProcessId: 7508, ParentProcessName: SOA-Al Daleel.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eeXxnIpy.exe", ProcessId: 7732, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eeXxnIpy" /XML "C:\Users\user\AppData\Local\Temp\tmp2F78.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eeXxnIpy" /XML "C:\Users\user\AppData\Local\Temp\tmp2F78.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\eeXxnIpy.exe, ParentImage: C:\Users\user\AppData\Roaming\eeXxnIpy.exe, ParentProcessId: 8016, ParentProcessName: eeXxnIpy.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eeXxnIpy" /XML "C:\Users\user\AppData\Local\Temp\tmp2F78.tmp", ProcessId: 8152, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eeXxnIpy" /XML "C:\Users\user\AppData\Local\Temp\tmp2314.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eeXxnIpy" /XML "C:\Users\user\AppData\Local\Temp\tmp2314.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SOA-Al Daleel.exe", ParentImage: C:\Users\user\Desktop\SOA-Al Daleel.exe, ParentProcessId: 7508, ParentProcessName: SOA-Al Daleel.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eeXxnIpy" /XML "C:\Users\user\AppData\Local\Temp\tmp2314.tmp", ProcessId: 7764, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eeXxnIpy.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eeXxnIpy.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SOA-Al Daleel.exe", ParentImage: C:\Users\user\Desktop\SOA-Al Daleel.exe, ParentProcessId: 7508, ParentProcessName: SOA-Al Daleel.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eeXxnIpy.exe", ProcessId: 7732, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eeXxnIpy" /XML "C:\Users\user\AppData\Local\Temp\tmp2314.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eeXxnIpy" /XML "C:\Users\user\AppData\Local\Temp\tmp2314.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SOA-Al Daleel.exe", ParentImage: C:\Users\user\Desktop\SOA-Al Daleel.exe, ParentProcessId: 7508, ParentProcessName: SOA-Al Daleel.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eeXxnIpy" /XML "C:\Users\user\AppData\Local\Temp\tmp2314.tmp", ProcessId: 7764, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1.2.SOA-Al Daleel.exe.41f9a78.4.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "naz@itc-ib.net", "Password": "*SGCViVH2@@@@11$#4%% "}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe

ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: SOA-Al Daleel.exe

ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SOA-Al Daleel.exe

Joe Sandbox ML: detected

Source: SOA-Al Daleel.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SOA-Al Daleel.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: NWau.pdbSHA256/ source: SOA-Al Daleel.exe, eeXxnIpy.exe.1.dr
Source:	Binary string: NWau.pdb source: SOA-Al Daleel.exe, eeXxnIpy.exe.1.dr

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 4x nop then jmp 0160630Fh	1_2_01605D8A
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 4x nop then jmp 0160630Fh	1_2_01605E1B
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 4x nop then jmp 0160630Fh	1_2_01605E87
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Code function: 4x nop then jmp 05465567h	11_2_05464FE2
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Code function: 4x nop then jmp 05465567h	11_2_054650DF

Networking

Yara detected Generic Downloader

Source: Yara match

File source: 1.2.SOA-Al Daleel.exe.41f9a78.4.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.7:49708 -> 208.91.199.223:587

Source: global traffic

TCP traffic: 192.168.2.7:49183 -> 162.159.36.2:53

Source: Joe Sandbox View

IP Address: 208.91.199.223 208.91.199.223

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: global traffic

TCP traffic: 192.168.2.7:49708 -> 208.91.199.223:587

Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: us2.smtp.mailhostbox.com
Source: global traffic	DNS traffic detected: DNS query: 56.126.166.20.in-addr.arpa

Source: MSBuild.exe, 0000000A.00000002.1370457143.0000000006180000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.1366722684.0000000003028000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2566283854.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2572939795.0000000005E10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: MSBuild.exe, 0000000A.00000002.1370457143.0000000006180000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2572939795.0000000005E10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: MSBuild.exe, 0000000A.00000002.1370457143.0000000006180000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.1366722684.0000000003028000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2566283854.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2572939795.0000000005E10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: MSBuild.exe, 0000000A.00000002.1370457143.0000000006180000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.1366722684.0000000003028000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2566283854.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2572939795.0000000005E10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: MSBuild.exe, 0000000A.00000002.1370457143.0000000006180000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.1366722684.0000000003028000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2566283854.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2572939795.0000000005E10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0A
Source: SOA-Al Daleel.exe, 00000001.00000002.1350225634.0000000003151000.00000004.00000800.00020000.00000000.sdmp, eeXxnIpy.exe, 0000000B.00000002.1384682495.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MSBuild.exe, 0000000A.00000002.1366722684.0000000003028000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2566283854.0000000002C17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: SOA-Al Daleel.exe, 00000001.00000002.1351009324.00000000041BF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.1363137995.0000000000402000.00000040.00000400.00020000.00000000.sdmp, eeXxnIpy.exe, 0000000B.00000002.1398049009.0000000004450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: MSBuild.exe, 0000000A.00000002.1370457143.0000000006180000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.1366722684.0000000003028000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2566283854.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2572939795.0000000005E10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 1.2.SOA-Al Daleel.exe.41f9a78.4.raw.unpack, 3DlgK9re6m.cs	.Net Code: j72D
Source: 11.2.eeXxnIpy.exe.448aa90.2.raw.unpack, 3DlgK9re6m.cs	.Net Code: j72D

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.eeXxnIpy.exe.448aa90.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.SOA-Al Daleel.exe.41f9a78.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.eeXxnIpy.exe.448aa90.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.SOA-Al Daleel.exe.41f9a78.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large array initializations

Source: 1.2.SOA-Al Daleel.exe.317880c.1.raw.unpack, -Module-.cs	Large array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
Source: 1.2.SOA-Al Daleel.exe.7460000.6.raw.unpack, -Module-.cs	Large array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_0136D364	1_2_0136D364
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_01601700	1_2_01601700
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_01601710	1_2_01601710
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_01607B48	1_2_01607B48
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_01608BE8	1_2_01608BE8
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_0313F718	1_2_0313F718
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_0313BB70	1_2_0313BB70
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_0313F6CE	1_2_0313F6CE
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_0313BB60	1_2_0313BB60
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_0313FBC8	1_2_0313FBC8
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_07481060	1_2_07481060
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_07487F28	1_2_07487F28
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_07483D50	1_2_07483D50
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_07488779	1_2_07488779
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_0748877B	1_2_0748877B
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_07488788	1_2_07488788
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_07482450	1_2_07482450
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_07482460	1_2_07482460
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_07486438	1_2_07486438
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_0748F4C8	1_2_0748F4C8
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_074872F0	1_2_074872F0
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_074882B1	1_2_074882B1
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_07481053	1_2_07481053
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_0748F090	1_2_0748F090
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_07487F18	1_2_07487F18
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_07483EE3	1_2_07483EE3
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_07483D43	1_2_07483D43
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_0748EC58	1_2_0748EC58
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_07487967	1_2_07487967
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_07487978	1_2_07487978
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_0748F900	1_2_0748F900
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_07481918	1_2_07481918
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_07481913	1_2_07481913
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_014ED025	10_2_014ED025
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_014E9378	10_2_014E9378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_014E9B38	10_2_014E9B38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_014E4A98	10_2_014E4A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_014E3E80	10_2_014E3E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_014ED168	10_2_014ED168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_014E41C8	10_2_014E41C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_063A56A8	10_2_063A56A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_063A0040	10_2_063A0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_063A3F18	10_2_063A3F18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_063ADCF0	10_2_063ADCF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_063ABCD8	10_2_063ABCD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_063A9AB8	10_2_063A9AB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_063A2AF0	10_2_063A2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_063A8B68	10_2_063A8B68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_063A3210	10_2_063A3210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_063A4FC8	10_2_063A4FC8
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Code function: 11_2_05466CD0	11_2_05466CD0
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Code function: 11_2_05461700	11_2_05461700
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Code function: 11_2_05461710	11_2_05461710
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Code function: 11_2_05467970	11_2_05467970
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Code function: 11_2_058E7D58	11_2_058E7D58
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Code function: 11_2_058E7FB0	11_2_058E7FB0
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Code function: 11_2_058E0006	11_2_058E0006
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Code function: 11_2_058E0040	11_2_058E0040
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Code function: 11_2_058EAEB0	11_2_058EAEB0
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Code function: 11_2_058E7FA1	11_2_058E7FA1
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Code function: 11_2_0592F718	11_2_0592F718
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Code function: 11_2_0592BB70	11_2_0592BB70
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Code function: 11_2_0592F6CE	11_2_0592F6CE
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Code function: 11_2_0592FBC8	11_2_0592FBC8
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Code function: 11_2_0592BB60	11_2_0592BB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0122D021	15_2_0122D021
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01229378	15_2_01229378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01229B38	15_2_01229B38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01224A98	15_2_01224A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01223E80	15_2_01223E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0122D168	15_2_0122D168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_012241C8	15_2_012241C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_05F4DCF0	15_2_05F4DCF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_05F4BCD8	15_2_05F4BCD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_05F43F18	15_2_05F43F18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_05F456A8	15_2_05F456A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_05F40040	15_2_05F40040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_05F48B68	15_2_05F48B68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_05F42AF0	15_2_05F42AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_05F44FC8	15_2_05F44FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_05F43210	15_2_05F43210

Source: SOA-Al Daleel.exe, 00000001.00000002.1350225634.0000000003151000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRT.dll. vs SOA-Al Daleel.exe
Source: SOA-Al Daleel.exe, 00000001.00000002.1350225634.0000000003151000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecd9b6a9b-2173-42d1-b391-e58738cecc5f.exe4 vs SOA-Al Daleel.exe
Source: SOA-Al Daleel.exe, 00000001.00000002.1353183069.0000000007460000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRT.dll. vs SOA-Al Daleel.exe
Source: SOA-Al Daleel.exe, 00000001.00000002.1351009324.00000000041BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecd9b6a9b-2173-42d1-b391-e58738cecc5f.exe4 vs SOA-Al Daleel.exe
Source: SOA-Al Daleel.exe, 00000001.00000002.1351009324.00000000041BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SOA-Al Daleel.exe
Source: SOA-Al Daleel.exe, 00000001.00000002.1348671494.000000000109E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SOA-Al Daleel.exe
Source: SOA-Al Daleel.exe, 00000001.00000002.1354161903.0000000007E00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SOA-Al Daleel.exe
Source: SOA-Al Daleel.exe	Binary or memory string: OriginalFilenameNWau.exe> vs SOA-Al Daleel.exe

Source: SOA-Al Daleel.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.eeXxnIpy.exe.448aa90.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.SOA-Al Daleel.exe.41f9a78.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.eeXxnIpy.exe.448aa90.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.SOA-Al Daleel.exe.41f9a78.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: SOA-Al Daleel.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: eeXxnIpy.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.SOA-Al Daleel.exe.41f9a78.4.raw.unpack, slKb.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.SOA-Al Daleel.exe.41f9a78.4.raw.unpack, mAKJ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.SOA-Al Daleel.exe.41f9a78.4.raw.unpack, xQRSe0Fg.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 1.2.SOA-Al Daleel.exe.41f9a78.4.raw.unpack, n3rhMa.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.SOA-Al Daleel.exe.41f9a78.4.raw.unpack, MQzE4FWn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.SOA-Al Daleel.exe.41f9a78.4.raw.unpack, nSmgRyX5a1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.SOA-Al Daleel.exe.41f9a78.4.raw.unpack, 6IMLmJtk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.SOA-Al Daleel.exe.41f9a78.4.raw.unpack, 6IMLmJtk.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.SOA-Al Daleel.exe.41f9a78.4.raw.unpack, 3HroK7qN.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.SOA-Al Daleel.exe.41f9a78.4.raw.unpack, 3HroK7qN.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, nmWwLFp6y3CsQoaaSm.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, nmWwLFp6y3CsQoaaSm.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, JHelOmGX9xBk92vdl7.cs	Security API names: _0020.SetAccessControl
Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, JHelOmGX9xBk92vdl7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, JHelOmGX9xBk92vdl7.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, JHelOmGX9xBk92vdl7.cs	Security API names: _0020.SetAccessControl
Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, JHelOmGX9xBk92vdl7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, JHelOmGX9xBk92vdl7.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, nmWwLFp6y3CsQoaaSm.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, JHelOmGX9xBk92vdl7.cs	Security API names: _0020.SetAccessControl
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, JHelOmGX9xBk92vdl7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, JHelOmGX9xBk92vdl7.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winEXE@20/11@3/1

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe

File created: C:\Users\user\AppData\Roaming\eeXxnIpy.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8164:120:WilError_03
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Mutant created: \Sessions\1\BaseNamedObjects\qrtQzlNBltcEPhWY
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe

File created: C:\Users\user\AppData\Local\Temp\tmp2314.tmp

Jump to behavior

Source: SOA-Al Daleel.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SOA-Al Daleel.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SOA-Al Daleel.exe

ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe

File read: C:\Users\user\Desktop\SOA-Al Daleel.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SOA-Al Daleel.exe "C:\Users\user\Desktop\SOA-Al Daleel.exe"
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eeXxnIpy.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eeXxnIpy" /XML "C:\Users\user\AppData\Local\Temp\tmp2314.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\eeXxnIpy.exe C:\Users\user\AppData\Roaming\eeXxnIpy.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eeXxnIpy" /XML "C:\Users\user\AppData\Local\Temp\tmp2F78.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eeXxnIpy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eeXxnIpy" /XML "C:\Users\user\AppData\Local\Temp\tmp2314.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eeXxnIpy" /XML "C:\Users\user\AppData\Local\Temp\tmp2F78.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: SOA-Al Daleel.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SOA-Al Daleel.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SOA-Al Daleel.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: NWau.pdbSHA256/ source: SOA-Al Daleel.exe, eeXxnIpy.exe.1.dr
Source:	Binary string: NWau.pdb source: SOA-Al Daleel.exe, eeXxnIpy.exe.1.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: SOA-Al Daleel.exe, mainscreen.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: eeXxnIpy.exe.1.dr, mainscreen.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 1.2.SOA-Al Daleel.exe.317880c.1.raw.unpack, -Module-.cs	.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
Source: 1.2.SOA-Al Daleel.exe.317880c.1.raw.unpack, PingPong.cs	.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 1.2.SOA-Al Daleel.exe.7460000.6.raw.unpack, -Module-.cs	.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
Source: 1.2.SOA-Al Daleel.exe.7460000.6.raw.unpack, PingPong.cs	.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, JHelOmGX9xBk92vdl7.cs	.Net Code: Gkjn1GV4xw System.Reflection.Assembly.Load(byte[])
Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, JHelOmGX9xBk92vdl7.cs	.Net Code: Gkjn1GV4xw System.Reflection.Assembly.Load(byte[])
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, JHelOmGX9xBk92vdl7.cs	.Net Code: Gkjn1GV4xw System.Reflection.Assembly.Load(byte[])

Source: SOA-Al Daleel.exe

Static PE information: 0x9E3D2D85 [Sun Feb 15 23:04:37 2054 UTC]

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Code function: 1_2_0313EFD5 push esp; retf	1_2_0313EFDC
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Code function: 11_2_0592EFD5 push esp; retf	11_2_0592EFDC
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Code function: 11_2_0592084A pushfd ; ret	11_2_05920851

Source: SOA-Al Daleel.exe	Static PE information: section name: .text entropy: 7.976235825353332
Source: eeXxnIpy.exe.1.dr	Static PE information: section name: .text entropy: 7.976235825353332

Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, FS4WZPMtGmHZsvtoqxr.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OpGs0t0u2p', 'EGMsc3hQGy', 'y1FsioBIwG', 'yGPs2vPoSy', 'jlKsED5VnD', 'Hh1sWwSddW', 'vEYsHiNQt6'
Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, xLnFXNr3HFxaLKS95p.cs	High entropy of concatenated method names: 'H2tqPfQ5NC', 'ROfqj5oVNJ', 'kGXqVgnKSj', 'VQbVmawvla', 'TVZVzro6JV', 'bGuqKjlXm4', 'IJ6qMeWbdy', 'V6hqYMe6Wo', 'cbSqtgm584', 'vkHqn6OPDE'
Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, WpTrCDeRd6UKSRIBf0.cs	High entropy of concatenated method names: 'KKw5NqH0jc', 'dF65x4J3D5', 'pmjj6Em8FG', 'a5Yj9PFkuV', 'FlIjU3pqOb', 'zywjT0EKX1', 'owgjrMyjRp', 'IWTjAVSa8C', 'idHjDx1akG', 'VqXjQImgBV'
Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, mRTYIxOiui1rh23kdo.cs	High entropy of concatenated method names: 'UfxwPnjyMD', 'z6awIQMqKZ', 'BjHwjpqwOt', 'C46w5wZYqZ', 'WgcwVtCHZ8', 'MHtwqReAx0', 'roJwGrIOYm', 'ARDwScggQa', 'I7PwJ5vbSp', 'EynwgbV2i5'
Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, hYU3HGMKWv8bkPWU6ax.cs	High entropy of concatenated method names: 'DqBC4bdBc1', 'G1HCosUVyR', 'PuEC1T1xbG', 'yCXC8DnlUO', 'vueCNkxMJS', 'gRnCZwqSxF', 'rdHCx1mcax', 'bptCp2CcLH', 'MDMCBduhj7', 'PgdCejNSg3'
Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, nmWwLFp6y3CsQoaaSm.cs	High entropy of concatenated method names: 'HmII0Qj0iD', 'ysrIcIfavG', 'AMGIi6OSyM', 'UyaI2R4pQj', 'rmLIENfF5m', 'vBoIWq596Q', 'gPGIHjhlSi', 'c9cIOp0ebS', 'j8cIFjMiQS', 'OyiIm205qG'
Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, NOe3SomiFjQjwIKZ19.cs	High entropy of concatenated method names: 'pwwCMMGNRl', 'QAPCtlSaJe', 'deDCnphy84', 'IgYCPnGkSu', 'liJCIERrnG', 'MqRC5Ixl2U', 'eACCVVKvC0', 'QdbwHapMg5', 'eaiwOiYppc', 'SyJwFLCUB8'
Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, bTT64qIAwoSlECeHGn.cs	High entropy of concatenated method names: 'Dispose', 'arQMF4Qkw2', 'lQHYkem6Gi', 'VWCbbJBeIj', 'bJRMmTYIxi', 'ui1Mzrh23k', 'ProcessDialogKey', 'OoPYKX7iEk', 'MJyYMYRb1m', 'jPVYYQOe3S'
Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, WX1d9xMMPbCWFZFN1bJ.cs	High entropy of concatenated method names: 'ToString', 'xE9stCbvrV', 'rKusnBNcM6', 'vaPs7PGZrX', 'vuOsP0vo1l', 'kljsIn6Kvk', 'CbQsjShd0o', 'Hhps5m2EVY', 'AW31hKWRkDBxue9ujjw', 'kyZA0SW6BjZLNha57Em'
Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, LuTWFhDqbyYGms4qGU.cs	High entropy of concatenated method names: 'o2pq4HHOYF', 'RMsqonMdDi', 'dN1q1TOFsJ', 'Iu6q8XTHZG', 'dGpqNiW6Ny', 'iLxqZcUhyo', 'XtMqxNqAQP', 'bSOqpJ2ACZ', 'x68qBq1gyA', 'SOXqe0ryUd'
Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, BFcI26iDUMvT9J3TRi.cs	High entropy of concatenated method names: 'ToString', 'E0GXdM9HRU', 'mAcXkJotsZ', 'VcaX6jy0HS', 'Ya9X9mf835', 'MCBXUb5s86', 'd2ZXTOkVNF', 'elFXr7AWpm', 'k8oXAXCnL1', 'x1JXDwmIcX'
Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, tFal2IWqM4KEuopdVU.cs	High entropy of concatenated method names: 'LsgRObLiK0', 'BUfRmw0jrT', 'SaCwKLPviK', 'fKPwMfeCBM', 'BGFRdbNv2T', 'mAFRhkvjgl', 'CE2RLjkVGh', 'qnWR0QbHtN', 'EgcRcCDl8v', 'TOmRi2osne'
Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, Q7YLY1zjDKs4A9wNqQ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yggClUrEYY', 'hMdCyLCJko', 'G2jCXh7A37', 'BHiCRKMxFX', 'rRKCwAi4Am', 'PXwCCP9MxL', 'sArCs13RcM'
Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, hkDdW7nnKXps9uafUV.cs	High entropy of concatenated method names: 'X5lMqmWwLF', 'Iy3MGCsQoa', 'UO7MJj0XYh', 'lu4MgnHpTr', 'qIBMyf0dUv', 'GbpMXFjlmj', 'SZggXJ5LBlaVun6rde', 'UurvbqrwC453On0kGM', 'enqZqZhBMld2aa4SnV', 'oh3MMl6yxl'
Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, PvJ5GG095hCttXfFSn.cs	High entropy of concatenated method names: 'Dk2yQkXhvJ', 'PnWyh8pcUW', 'bpJy0xxabw', 'bp5ycTMwKL', 'NeUykt14Mn', 'yEky6L9y8H', 'sZMy92wMDr', 'CA9yU2PKq8', 'Op3yTA58m1', 'Nlbyrg6p1t'
Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, KawfvEBO7j0XYhJu4n.cs	High entropy of concatenated method names: 'MABj80TYh1', 'KEwjZKo9ZQ', 'p6fjpZuR9a', 'JJcjBdA0Sg', 'Og4jy7Q2tb', 'yCYjXt40TJ', 'cMXjRaLaGs', 'VFBjwa4Qx1', 'vlJjCNNCAy', 'rB9jsDIHHx'
Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, fX7iEkFDJyYRb1mqPV.cs	High entropy of concatenated method names: 'xGqwaJtMUf', 'tQdwk3YJhV', 'Jfiw60dadM', 'iiiw9yCdJp', 'aABw0aNRZJ', 'fqCwUL79RX', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, OUvkbpaFjlmjZtt3qe.cs	High entropy of concatenated method names: 'n1bV7PsxsA', 'MxXVI9u9Tx', 'kgBV5aut62', 'ogmVqig8kr', 'xSLVGkkq7T', 'SxI5E5r5lw', 'Uqt5WARj8j', 'D6p5HIxtDO', 'OKp5Os5roF', 'h3D5Fmece7'
Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, JHelOmGX9xBk92vdl7.cs	High entropy of concatenated method names: 'tYNt7gPTUp', 'wH2tPynM1X', 'F1xtIfmu2q', 'yFptjdVbZn', 'GLit5jEGVq', 'U4atVklNcI', 'H6dtqAlNFV', 'rsytGbqbgU', 'QYTtSnfiFU', 'ofetJdp4RK'
Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, zYcJRlYQUJlOxnn6is.cs	High entropy of concatenated method names: 'N4q14g5iG', 'dB28oC7LP', 'a6qZb04mn', 'ihoxYgJmA', 'jgyBCCfCX', 'Seye1YUvV', 'rEkgBJ3ygkxoQR86pO', 'rAuQgYvKmUqvfnxo6p', 'iquw7GlW5', 'SuSs1Xevj'
Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, cLoPfEL4mIMos0teB9.cs	High entropy of concatenated method names: 'sqJlp5mwrG', 'U8QlBXAKeb', 'luZlaOkHIa', 'KpIlk5st04', 'ERhl9ymdeT', 'tBylULSZZJ', 'L1Nlr8jTvL', 'TT9lAo2G3A', 'sbulQQnuhK', 'iBQldgbKWh'
Source: 1.2.SOA-Al Daleel.exe.7e00000.8.raw.unpack, Ml3vWW25nwsS3efjZZ.cs	High entropy of concatenated method names: 'STRRJwhDj0', 'UenRg0SYmG', 'ToString', 'LgYRPcYP3E', 'LxORIbiZll', 'sffRjxJRxt', 'MkoR5DA9gu', 'rUrRVdnW5f', 'rFhRq1NYIh', 'h4aRGd5qeC'
Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, FS4WZPMtGmHZsvtoqxr.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OpGs0t0u2p', 'EGMsc3hQGy', 'y1FsioBIwG', 'yGPs2vPoSy', 'jlKsED5VnD', 'Hh1sWwSddW', 'vEYsHiNQt6'
Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, xLnFXNr3HFxaLKS95p.cs	High entropy of concatenated method names: 'H2tqPfQ5NC', 'ROfqj5oVNJ', 'kGXqVgnKSj', 'VQbVmawvla', 'TVZVzro6JV', 'bGuqKjlXm4', 'IJ6qMeWbdy', 'V6hqYMe6Wo', 'cbSqtgm584', 'vkHqn6OPDE'
Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, WpTrCDeRd6UKSRIBf0.cs	High entropy of concatenated method names: 'KKw5NqH0jc', 'dF65x4J3D5', 'pmjj6Em8FG', 'a5Yj9PFkuV', 'FlIjU3pqOb', 'zywjT0EKX1', 'owgjrMyjRp', 'IWTjAVSa8C', 'idHjDx1akG', 'VqXjQImgBV'
Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, mRTYIxOiui1rh23kdo.cs	High entropy of concatenated method names: 'UfxwPnjyMD', 'z6awIQMqKZ', 'BjHwjpqwOt', 'C46w5wZYqZ', 'WgcwVtCHZ8', 'MHtwqReAx0', 'roJwGrIOYm', 'ARDwScggQa', 'I7PwJ5vbSp', 'EynwgbV2i5'
Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, hYU3HGMKWv8bkPWU6ax.cs	High entropy of concatenated method names: 'DqBC4bdBc1', 'G1HCosUVyR', 'PuEC1T1xbG', 'yCXC8DnlUO', 'vueCNkxMJS', 'gRnCZwqSxF', 'rdHCx1mcax', 'bptCp2CcLH', 'MDMCBduhj7', 'PgdCejNSg3'
Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, nmWwLFp6y3CsQoaaSm.cs	High entropy of concatenated method names: 'HmII0Qj0iD', 'ysrIcIfavG', 'AMGIi6OSyM', 'UyaI2R4pQj', 'rmLIENfF5m', 'vBoIWq596Q', 'gPGIHjhlSi', 'c9cIOp0ebS', 'j8cIFjMiQS', 'OyiIm205qG'
Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, NOe3SomiFjQjwIKZ19.cs	High entropy of concatenated method names: 'pwwCMMGNRl', 'QAPCtlSaJe', 'deDCnphy84', 'IgYCPnGkSu', 'liJCIERrnG', 'MqRC5Ixl2U', 'eACCVVKvC0', 'QdbwHapMg5', 'eaiwOiYppc', 'SyJwFLCUB8'
Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, bTT64qIAwoSlECeHGn.cs	High entropy of concatenated method names: 'Dispose', 'arQMF4Qkw2', 'lQHYkem6Gi', 'VWCbbJBeIj', 'bJRMmTYIxi', 'ui1Mzrh23k', 'ProcessDialogKey', 'OoPYKX7iEk', 'MJyYMYRb1m', 'jPVYYQOe3S'
Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, WX1d9xMMPbCWFZFN1bJ.cs	High entropy of concatenated method names: 'ToString', 'xE9stCbvrV', 'rKusnBNcM6', 'vaPs7PGZrX', 'vuOsP0vo1l', 'kljsIn6Kvk', 'CbQsjShd0o', 'Hhps5m2EVY', 'AW31hKWRkDBxue9ujjw', 'kyZA0SW6BjZLNha57Em'
Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, LuTWFhDqbyYGms4qGU.cs	High entropy of concatenated method names: 'o2pq4HHOYF', 'RMsqonMdDi', 'dN1q1TOFsJ', 'Iu6q8XTHZG', 'dGpqNiW6Ny', 'iLxqZcUhyo', 'XtMqxNqAQP', 'bSOqpJ2ACZ', 'x68qBq1gyA', 'SOXqe0ryUd'
Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, BFcI26iDUMvT9J3TRi.cs	High entropy of concatenated method names: 'ToString', 'E0GXdM9HRU', 'mAcXkJotsZ', 'VcaX6jy0HS', 'Ya9X9mf835', 'MCBXUb5s86', 'd2ZXTOkVNF', 'elFXr7AWpm', 'k8oXAXCnL1', 'x1JXDwmIcX'
Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, tFal2IWqM4KEuopdVU.cs	High entropy of concatenated method names: 'LsgRObLiK0', 'BUfRmw0jrT', 'SaCwKLPviK', 'fKPwMfeCBM', 'BGFRdbNv2T', 'mAFRhkvjgl', 'CE2RLjkVGh', 'qnWR0QbHtN', 'EgcRcCDl8v', 'TOmRi2osne'
Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, Q7YLY1zjDKs4A9wNqQ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yggClUrEYY', 'hMdCyLCJko', 'G2jCXh7A37', 'BHiCRKMxFX', 'rRKCwAi4Am', 'PXwCCP9MxL', 'sArCs13RcM'
Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, hkDdW7nnKXps9uafUV.cs	High entropy of concatenated method names: 'X5lMqmWwLF', 'Iy3MGCsQoa', 'UO7MJj0XYh', 'lu4MgnHpTr', 'qIBMyf0dUv', 'GbpMXFjlmj', 'SZggXJ5LBlaVun6rde', 'UurvbqrwC453On0kGM', 'enqZqZhBMld2aa4SnV', 'oh3MMl6yxl'
Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, PvJ5GG095hCttXfFSn.cs	High entropy of concatenated method names: 'Dk2yQkXhvJ', 'PnWyh8pcUW', 'bpJy0xxabw', 'bp5ycTMwKL', 'NeUykt14Mn', 'yEky6L9y8H', 'sZMy92wMDr', 'CA9yU2PKq8', 'Op3yTA58m1', 'Nlbyrg6p1t'
Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, KawfvEBO7j0XYhJu4n.cs	High entropy of concatenated method names: 'MABj80TYh1', 'KEwjZKo9ZQ', 'p6fjpZuR9a', 'JJcjBdA0Sg', 'Og4jy7Q2tb', 'yCYjXt40TJ', 'cMXjRaLaGs', 'VFBjwa4Qx1', 'vlJjCNNCAy', 'rB9jsDIHHx'
Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, fX7iEkFDJyYRb1mqPV.cs	High entropy of concatenated method names: 'xGqwaJtMUf', 'tQdwk3YJhV', 'Jfiw60dadM', 'iiiw9yCdJp', 'aABw0aNRZJ', 'fqCwUL79RX', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, OUvkbpaFjlmjZtt3qe.cs	High entropy of concatenated method names: 'n1bV7PsxsA', 'MxXVI9u9Tx', 'kgBV5aut62', 'ogmVqig8kr', 'xSLVGkkq7T', 'SxI5E5r5lw', 'Uqt5WARj8j', 'D6p5HIxtDO', 'OKp5Os5roF', 'h3D5Fmece7'
Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, JHelOmGX9xBk92vdl7.cs	High entropy of concatenated method names: 'tYNt7gPTUp', 'wH2tPynM1X', 'F1xtIfmu2q', 'yFptjdVbZn', 'GLit5jEGVq', 'U4atVklNcI', 'H6dtqAlNFV', 'rsytGbqbgU', 'QYTtSnfiFU', 'ofetJdp4RK'
Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, zYcJRlYQUJlOxnn6is.cs	High entropy of concatenated method names: 'N4q14g5iG', 'dB28oC7LP', 'a6qZb04mn', 'ihoxYgJmA', 'jgyBCCfCX', 'Seye1YUvV', 'rEkgBJ3ygkxoQR86pO', 'rAuQgYvKmUqvfnxo6p', 'iquw7GlW5', 'SuSs1Xevj'
Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, cLoPfEL4mIMos0teB9.cs	High entropy of concatenated method names: 'sqJlp5mwrG', 'U8QlBXAKeb', 'luZlaOkHIa', 'KpIlk5st04', 'ERhl9ymdeT', 'tBylULSZZJ', 'L1Nlr8jTvL', 'TT9lAo2G3A', 'sbulQQnuhK', 'iBQldgbKWh'
Source: 1.2.SOA-Al Daleel.exe.4457ff0.3.raw.unpack, Ml3vWW25nwsS3efjZZ.cs	High entropy of concatenated method names: 'STRRJwhDj0', 'UenRg0SYmG', 'ToString', 'LgYRPcYP3E', 'LxORIbiZll', 'sffRjxJRxt', 'MkoR5DA9gu', 'rUrRVdnW5f', 'rFhRq1NYIh', 'h4aRGd5qeC'
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, FS4WZPMtGmHZsvtoqxr.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OpGs0t0u2p', 'EGMsc3hQGy', 'y1FsioBIwG', 'yGPs2vPoSy', 'jlKsED5VnD', 'Hh1sWwSddW', 'vEYsHiNQt6'
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, xLnFXNr3HFxaLKS95p.cs	High entropy of concatenated method names: 'H2tqPfQ5NC', 'ROfqj5oVNJ', 'kGXqVgnKSj', 'VQbVmawvla', 'TVZVzro6JV', 'bGuqKjlXm4', 'IJ6qMeWbdy', 'V6hqYMe6Wo', 'cbSqtgm584', 'vkHqn6OPDE'
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, WpTrCDeRd6UKSRIBf0.cs	High entropy of concatenated method names: 'KKw5NqH0jc', 'dF65x4J3D5', 'pmjj6Em8FG', 'a5Yj9PFkuV', 'FlIjU3pqOb', 'zywjT0EKX1', 'owgjrMyjRp', 'IWTjAVSa8C', 'idHjDx1akG', 'VqXjQImgBV'
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, mRTYIxOiui1rh23kdo.cs	High entropy of concatenated method names: 'UfxwPnjyMD', 'z6awIQMqKZ', 'BjHwjpqwOt', 'C46w5wZYqZ', 'WgcwVtCHZ8', 'MHtwqReAx0', 'roJwGrIOYm', 'ARDwScggQa', 'I7PwJ5vbSp', 'EynwgbV2i5'
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, hYU3HGMKWv8bkPWU6ax.cs	High entropy of concatenated method names: 'DqBC4bdBc1', 'G1HCosUVyR', 'PuEC1T1xbG', 'yCXC8DnlUO', 'vueCNkxMJS', 'gRnCZwqSxF', 'rdHCx1mcax', 'bptCp2CcLH', 'MDMCBduhj7', 'PgdCejNSg3'
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, nmWwLFp6y3CsQoaaSm.cs	High entropy of concatenated method names: 'HmII0Qj0iD', 'ysrIcIfavG', 'AMGIi6OSyM', 'UyaI2R4pQj', 'rmLIENfF5m', 'vBoIWq596Q', 'gPGIHjhlSi', 'c9cIOp0ebS', 'j8cIFjMiQS', 'OyiIm205qG'
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, NOe3SomiFjQjwIKZ19.cs	High entropy of concatenated method names: 'pwwCMMGNRl', 'QAPCtlSaJe', 'deDCnphy84', 'IgYCPnGkSu', 'liJCIERrnG', 'MqRC5Ixl2U', 'eACCVVKvC0', 'QdbwHapMg5', 'eaiwOiYppc', 'SyJwFLCUB8'
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, bTT64qIAwoSlECeHGn.cs	High entropy of concatenated method names: 'Dispose', 'arQMF4Qkw2', 'lQHYkem6Gi', 'VWCbbJBeIj', 'bJRMmTYIxi', 'ui1Mzrh23k', 'ProcessDialogKey', 'OoPYKX7iEk', 'MJyYMYRb1m', 'jPVYYQOe3S'
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, WX1d9xMMPbCWFZFN1bJ.cs	High entropy of concatenated method names: 'ToString', 'xE9stCbvrV', 'rKusnBNcM6', 'vaPs7PGZrX', 'vuOsP0vo1l', 'kljsIn6Kvk', 'CbQsjShd0o', 'Hhps5m2EVY', 'AW31hKWRkDBxue9ujjw', 'kyZA0SW6BjZLNha57Em'
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, LuTWFhDqbyYGms4qGU.cs	High entropy of concatenated method names: 'o2pq4HHOYF', 'RMsqonMdDi', 'dN1q1TOFsJ', 'Iu6q8XTHZG', 'dGpqNiW6Ny', 'iLxqZcUhyo', 'XtMqxNqAQP', 'bSOqpJ2ACZ', 'x68qBq1gyA', 'SOXqe0ryUd'
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, BFcI26iDUMvT9J3TRi.cs	High entropy of concatenated method names: 'ToString', 'E0GXdM9HRU', 'mAcXkJotsZ', 'VcaX6jy0HS', 'Ya9X9mf835', 'MCBXUb5s86', 'd2ZXTOkVNF', 'elFXr7AWpm', 'k8oXAXCnL1', 'x1JXDwmIcX'
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, tFal2IWqM4KEuopdVU.cs	High entropy of concatenated method names: 'LsgRObLiK0', 'BUfRmw0jrT', 'SaCwKLPviK', 'fKPwMfeCBM', 'BGFRdbNv2T', 'mAFRhkvjgl', 'CE2RLjkVGh', 'qnWR0QbHtN', 'EgcRcCDl8v', 'TOmRi2osne'
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, Q7YLY1zjDKs4A9wNqQ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yggClUrEYY', 'hMdCyLCJko', 'G2jCXh7A37', 'BHiCRKMxFX', 'rRKCwAi4Am', 'PXwCCP9MxL', 'sArCs13RcM'
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, hkDdW7nnKXps9uafUV.cs	High entropy of concatenated method names: 'X5lMqmWwLF', 'Iy3MGCsQoa', 'UO7MJj0XYh', 'lu4MgnHpTr', 'qIBMyf0dUv', 'GbpMXFjlmj', 'SZggXJ5LBlaVun6rde', 'UurvbqrwC453On0kGM', 'enqZqZhBMld2aa4SnV', 'oh3MMl6yxl'
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, PvJ5GG095hCttXfFSn.cs	High entropy of concatenated method names: 'Dk2yQkXhvJ', 'PnWyh8pcUW', 'bpJy0xxabw', 'bp5ycTMwKL', 'NeUykt14Mn', 'yEky6L9y8H', 'sZMy92wMDr', 'CA9yU2PKq8', 'Op3yTA58m1', 'Nlbyrg6p1t'
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, KawfvEBO7j0XYhJu4n.cs	High entropy of concatenated method names: 'MABj80TYh1', 'KEwjZKo9ZQ', 'p6fjpZuR9a', 'JJcjBdA0Sg', 'Og4jy7Q2tb', 'yCYjXt40TJ', 'cMXjRaLaGs', 'VFBjwa4Qx1', 'vlJjCNNCAy', 'rB9jsDIHHx'
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, fX7iEkFDJyYRb1mqPV.cs	High entropy of concatenated method names: 'xGqwaJtMUf', 'tQdwk3YJhV', 'Jfiw60dadM', 'iiiw9yCdJp', 'aABw0aNRZJ', 'fqCwUL79RX', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, OUvkbpaFjlmjZtt3qe.cs	High entropy of concatenated method names: 'n1bV7PsxsA', 'MxXVI9u9Tx', 'kgBV5aut62', 'ogmVqig8kr', 'xSLVGkkq7T', 'SxI5E5r5lw', 'Uqt5WARj8j', 'D6p5HIxtDO', 'OKp5Os5roF', 'h3D5Fmece7'
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, JHelOmGX9xBk92vdl7.cs	High entropy of concatenated method names: 'tYNt7gPTUp', 'wH2tPynM1X', 'F1xtIfmu2q', 'yFptjdVbZn', 'GLit5jEGVq', 'U4atVklNcI', 'H6dtqAlNFV', 'rsytGbqbgU', 'QYTtSnfiFU', 'ofetJdp4RK'
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, zYcJRlYQUJlOxnn6is.cs	High entropy of concatenated method names: 'N4q14g5iG', 'dB28oC7LP', 'a6qZb04mn', 'ihoxYgJmA', 'jgyBCCfCX', 'Seye1YUvV', 'rEkgBJ3ygkxoQR86pO', 'rAuQgYvKmUqvfnxo6p', 'iquw7GlW5', 'SuSs1Xevj'
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, cLoPfEL4mIMos0teB9.cs	High entropy of concatenated method names: 'sqJlp5mwrG', 'U8QlBXAKeb', 'luZlaOkHIa', 'KpIlk5st04', 'ERhl9ymdeT', 'tBylULSZZJ', 'L1Nlr8jTvL', 'TT9lAo2G3A', 'sbulQQnuhK', 'iBQldgbKWh'
Source: 1.2.SOA-Al Daleel.exe.4511010.5.raw.unpack, Ml3vWW25nwsS3efjZZ.cs	High entropy of concatenated method names: 'STRRJwhDj0', 'UenRg0SYmG', 'ToString', 'LgYRPcYP3E', 'LxORIbiZll', 'sffRjxJRxt', 'MkoR5DA9gu', 'rUrRVdnW5f', 'rFhRq1NYIh', 'h4aRGd5qeC'

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe

File created: C:\Users\user\AppData\Roaming\eeXxnIpy.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eeXxnIpy" /XML "C:\Users\user\AppData\Local\Temp\tmp2314.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: SOA-Al Daleel.exe PID: 7508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eeXxnIpy.exe PID: 8016, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Memory allocated: 1320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Memory allocated: 3150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Memory allocated: 1580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Memory allocated: 7BB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Memory allocated: 75D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Memory allocated: 8BB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Memory allocated: 9BB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Memory allocated: 9EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Memory allocated: AEE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Memory allocated: 7EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Memory allocated: 9EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Memory allocated: AEE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 14E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Memory allocated: 17D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Memory allocated: 33E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Memory allocated: 53E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Memory allocated: 7E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Memory allocated: 8E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Memory allocated: 8FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Memory allocated: 9FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Memory allocated: A300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Memory allocated: B300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Memory allocated: 8FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Memory allocated: A300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Memory allocated: B300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2A00000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6693	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2920	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 1480	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 2701	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 1761	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 2515	Jump to behavior

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe TID: 7560	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7968	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8008	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8008	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8008	Thread sleep time: -99858s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8024	Thread sleep count: 1480 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8024	Thread sleep count: 2701 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8008	Thread sleep time: -99749s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8008	Thread sleep time: -99638s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8008	Thread sleep time: -99529s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8008	Thread sleep time: -99419s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8008	Thread sleep time: -99312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8008	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8008	Thread sleep time: -99094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8008	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8008	Thread sleep time: -98875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8008	Thread sleep time: -98765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8008	Thread sleep time: -98656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8008	Thread sleep time: -98544s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8008	Thread sleep time: -98437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8008	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8008	Thread sleep time: -98219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8008	Thread sleep time: -98094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8008	Thread sleep time: -97984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8008	Thread sleep time: -97874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8008	Thread sleep time: -97765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8008	Thread sleep time: -97656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe TID: 8088	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6820	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6820	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6608	Thread sleep count: 1761 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6820	Thread sleep time: -99844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6608	Thread sleep count: 2515 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6820	Thread sleep time: -99734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6820	Thread sleep time: -99625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6820	Thread sleep time: -99495s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6820	Thread sleep time: -99389s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6820	Thread sleep time: -99281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6820	Thread sleep time: -99135s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6820	Thread sleep time: -99025s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6820	Thread sleep time: -98916s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6820	Thread sleep time: -98800s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6820	Thread sleep time: -98594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6820	Thread sleep time: -98457s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6820	Thread sleep time: -98132s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6820	Thread sleep time: -97737s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6820	Thread sleep time: -97609s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6820	Thread sleep time: -97498s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6820	Thread sleep time: -97391s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6820	Thread sleep time: -97281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6820	Thread sleep time: -97170s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6820	Thread sleep time: -97044s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6820	Thread sleep time: -96937s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6820	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99858	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99638	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99529	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99419	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98544	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 97984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 97874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 97765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 97656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99495	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99389	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99135	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99025	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98916	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98800	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98457	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98132	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 97737	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 97609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 97498	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 97391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 97281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 97170	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 97044	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 96937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: MSBuild.exe, 0000000A.00000002.1370457143.0000000006180000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllContH
Source: MSBuild.exe, 0000000F.00000002.2572939795.0000000005E10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllb

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eeXxnIpy.exe"
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eeXxnIpy.exe"			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43C000	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43E000	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D6C008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43C000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43E000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: A0F008	Jump to behavior

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eeXxnIpy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eeXxnIpy" /XML "C:\Users\user\AppData\Local\Temp\tmp2314.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eeXxnIpy" /XML "C:\Users\user\AppData\Local\Temp\tmp2F78.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Queries volume information: C:\Users\user\Desktop\SOA-Al Daleel.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA-Al Daleel.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Queries volume information: C:\Users\user\AppData\Roaming\eeXxnIpy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eeXxnIpy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SOA-Al Daleel.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.eeXxnIpy.exe.448aa90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SOA-Al Daleel.exe.41f9a78.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.eeXxnIpy.exe.448aa90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SOA-Al Daleel.exe.41f9a78.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1366722684.0000000003020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2566283854.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1363137995.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1398049009.0000000004450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2566283854.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1366722684.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1351009324.00000000041BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA-Al Daleel.exe PID: 7508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eeXxnIpy.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5960, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.eeXxnIpy.exe.448aa90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SOA-Al Daleel.exe.41f9a78.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.eeXxnIpy.exe.448aa90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SOA-Al Daleel.exe.41f9a78.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1363137995.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1398049009.0000000004450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2566283854.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1366722684.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1351009324.00000000041BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA-Al Daleel.exe PID: 7508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eeXxnIpy.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5960, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.eeXxnIpy.exe.448aa90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SOA-Al Daleel.exe.41f9a78.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.eeXxnIpy.exe.448aa90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SOA-Al Daleel.exe.41f9a78.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1366722684.0000000003020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2566283854.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1363137995.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1398049009.0000000004450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2566283854.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1366722684.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1351009324.00000000041BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA-Al Daleel.exe PID: 7508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eeXxnIpy.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5960, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	311 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	1 Credentials in Registry	211 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	311 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SOA-Al Daleel.exe	29%	ReversingLabs	Win32.Trojan.Generic
SOA-Al Daleel.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\eeXxnIpy.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\eeXxnIpy.exe	29%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ocsp.sectigo.com0A	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	Avira URL Cloud	safe
http://us2.smtp.mailhostbox.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
us2.smtp.mailhostbox.com	208.91.199.223	true	true	unknown
time.windows.com	unknown	unknown	false	unknown
56.126.166.20.in-addr.arpa	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	MSBuild.exe, 0000000A.00000002.1370457143.0000000006180000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.1366722684.0000000003028000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2566283854.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2572939795.0000000005E10000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0A	MSBuild.exe, 0000000A.00000002.1370457143.0000000006180000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.1366722684.0000000003028000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2566283854.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2572939795.0000000005E10000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	MSBuild.exe, 0000000A.00000002.1370457143.0000000006180000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.1366722684.0000000003028000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2566283854.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2572939795.0000000005E10000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	SOA-Al Daleel.exe, 00000001.00000002.1351009324.00000000041BF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.1363137995.0000000000402000.00000040.00000400.00020000.00000000.sdmp, eeXxnIpy.exe, 0000000B.00000002.1398049009.0000000004450000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://us2.smtp.mailhostbox.com	MSBuild.exe, 0000000A.00000002.1366722684.0000000003028000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2566283854.0000000002C17000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SOA-Al Daleel.exe, 00000001.00000002.1350225634.0000000003151000.00000004.00000800.00020000.00000000.sdmp, eeXxnIpy.exe, 0000000B.00000002.1384682495.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.91.199.223	us2.smtp.mailhostbox.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467074
Start date and time:	2024-07-03 17:47:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SOA-Al Daleel.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winEXE@20/11@3/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 240 Number of non-executed functions: 20
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.119.148.38, 184.28.90.27, 40.68.123.157, 2.19.126.163, 2.19.126.137, 20.3.187.198, 20.166.126.56, 13.85.23.86
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, twc.trafficmanager.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, e16604.g.akamaiedge.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: SOA-Al Daleel.exe

Simulations

Behavior and APIs

Time	Type	Description
11:48:07	API Interceptor	1x Sleep call for process: SOA-Al Daleel.exe modified
11:48:08	API Interceptor	12x Sleep call for process: powershell.exe modified
11:48:09	API Interceptor	44x Sleep call for process: MSBuild.exe modified
11:48:10	API Interceptor	1x Sleep call for process: eeXxnIpy.exe modified
17:48:09	Task Scheduler	Run new task: eeXxnIpy path: C:\Users\user\AppData\Roaming\eeXxnIpy.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
208.91.199.223	SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe	Get hash	malicious	AgentTesla	Browse
	QUOTATION.exe	Get hash	malicious	AgentTesla	Browse
	Attached Quotation.exe	Get hash	malicious	AgentTesla	Browse
	Swift Copy_98754.bat.exe	Get hash	malicious	AgentTesla	Browse
	Swift Copy TT USD14037800.PDF.exe	Get hash	malicious	AgentTesla	Browse
	PO#0094321.exe	Get hash	malicious	AgentTesla	Browse
	P.O (PA) 452.exe	Get hash	malicious	AgentTesla	Browse
	DHL Shipping Documents.exe	Get hash	malicious	AgentTesla	Browse
	Product Sample 76438.exe	Get hash	malicious	AgentTesla	Browse
	HSBC-payment-Advice.bat	Get hash	malicious	AgentTesla, PureLog Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
us2.smtp.mailhostbox.com	6bdudXAsQW.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	SecuriteInfo.com.Win32.PWSX-gen.21042.22708.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	001 Tech. Spec pdf.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	payment order.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.91.198.143
	Quotation No.06262024.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	I0Hw9G8QDJ.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	Urgent PO.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.91.199.224
	z1PURCHASEORDER736353.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.91.199.224
	PO#0094321.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
bg.microsoft.map.fastly.net	Invoices AMM Consol 020-04860612.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	Invoices AMM Consol 020-04860612.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://beetrootculture.com	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://isothermcx-my.sharepoint.com/:o:/p/m_chiasson/EldSmlva1OBFixvWpubo0mgB0DZQ4Do42riWb9YO1XmP-g?e=5%3av4rvfI&at=9	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	https://www.filemail.com/t/RuKZYfeB	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	kZa81nzREg.exe	Get hash	malicious	AgentTesla	Browse	199.232.214.172
	SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.6737.3783.exe	Get hash	malicious	AgentTesla	Browse	199.232.210.172
	dhl_awb_shipping_doc_03072024224782020031808174CN18030724000000324(991KB).vbs	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://url7304.disco-mailer.net/ls/click?upn=u001.DWLeRfOXStcSaUNphm6ZnGquuezyvOF0FIuLMCSCrIQ9t3e8n3fjexKHJjVTV-2BQUFT1dnxR3BcyXaxz-2BblhjX71zswvTIlAGm31luuFhJgeOGXb3dn9Itq74-2Fe-2BlKg-2Bs0-2F4odRns7kSdvfqBhyqSbrYsnPmx4SeDwlRdlhHbM3UucitnipcwJ1gR7h8DzOIUWsvEslHUA8FsNTNWtsq3Q-2FU-2FPeBtGbo-2Fx3kgcXxAZuE-3DPmkq_5KlZmZKASPtIpYbHU6HHQmxS-2FHe3g010GX01BBBmlalJnMdBClXoEYQADKPWInqgHw-2B5921oa-2Fum9DxIHV8wgOarlsOnYJwzp6I2lNDfeCQdFcL55956QetBM0U9iihLLCXzc7MWVFcQDUwnaU8PUgQFrTwK63nQhJu8ngVllYSJR-2BUamfX7Ej8Gpp4vMWsL8t65JTtpjdFVQ36IgP-2B2LxLYSj9SfdmLAt97TCVXHWn7xANKqYpl-2BYx09SetkszDOjJuUV9L9bqZ-2FbmClOsUrPLylG74RJ8zQAREr7-2BUktmlWKoc8C7oqqTOKv340mZnTc-2FztCVjFgPMm1Bz5lR5AptUVEvvSBboXVGluKKoNkkMFkS-2BmNybyD3Aa-2BX8UZ5s	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	https://inpzk.useringimportdulcimer.ink/?=vxkncwole9	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	6bdudXAsQW.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	SecuriteInfo.com.Win32.PWSX-gen.21042.22708.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	https://wazzootech.co/cgi-ssl/	Get hash	malicious	Unknown	Browse	162.251.85.203
	cp3pOZHLxp.exe	Get hash	malicious	AgentTesla	Browse	216.10.246.185
	NsqPGxz4Gj.exe	Get hash	malicious	AgentTesla	Browse	216.10.246.185
	001 Tech. Spec pdf.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	payment order.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.91.198.143
	Quotation No.06262024.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	I0Hw9G8QDJ.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225

Process:	C:\Users\user\Desktop\SOA-Al Daleel.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eeXxnIpy.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\eeXxnIpy.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.3797706053345555
Encrypted:	false
SSDEEP:	48:fWSU4xympx4RfoUP7gZ9tK8NPZHUx7u1iMuge//MPUyus:fLHxv/IwLZ2KRH6Ougss
MD5:	DDD33D9AF3DCABB4627D243179EE42B4
SHA1:	9370876B9D2ADEFB2D5EA5B3D1891DD553C53C79
SHA-256:	11C6FC8165BE652FA9537A58E6C221CE712B800370BEE30F369917A957007ABC
SHA-512:	D65BF41523B71A0C3D038981843066372E59C7AAFFAC899804F401FEB87F5A5D34138C78A91D2F5D4876235F67A5AB02F81D4FAE9EDF71B77E4EFB931AA8A0BA
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ectwbuih.5cg.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mnyspowo.u10.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ohak1fj1.vyt.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uqxq0o4h.eom.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp2314.tmp

Download File

Process:	C:\Users\user\Desktop\SOA-Al Daleel.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1602
Entropy (8bit):	5.1167969545122345
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtJLxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTJ1v
MD5:	3D7CFEEEA3CCEF43E837D48E414BD62D
SHA1:	4E3A9DBAAEB25E6BD189290F31D99AE0908A42D1
SHA-256:	2E050483ED971F2BE02867D359A101904098B45D0BE711654F64EE003A79456D
SHA-512:	F837D245F4E323CEF230CB1D46768450B75B3358F69D83C881B1712043EFC75135B5730403936AE01D0999B2486E02CD8892BE969C9D2F7A235905207BFDF7A9
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmp2F78.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\eeXxnIpy.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1602
Entropy (8bit):	5.1167969545122345
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtJLxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTJ1v
MD5:	3D7CFEEEA3CCEF43E837D48E414BD62D
SHA1:	4E3A9DBAAEB25E6BD189290F31D99AE0908A42D1
SHA-256:	2E050483ED971F2BE02867D359A101904098B45D0BE711654F64EE003A79456D
SHA-512:	F837D245F4E323CEF230CB1D46768450B75B3358F69D83C881B1712043EFC75135B5730403936AE01D0999B2486E02CD8892BE969C9D2F7A235905207BFDF7A9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Roaming\eeXxnIpy.exe

Download File

Process:	C:\Users\user\Desktop\SOA-Al Daleel.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	959488
Entropy (8bit):	7.947573023101732
Encrypted:	false
SSDEEP:	24576:3t4/d6Itn2xHd9AwO5U92mJKvy8YheLxl+qD9l:3Yd62gMU91KvyCX9v
MD5:	487DE74E533BEC62AD60B71ED4990B14
SHA1:	68816BDB2128901D938ADEE5BBBDCFE9AD710BF1
SHA-256:	4D7A7D2B1E9422EAE20449218FC515B1E526D03F1BBF0D371AD4FFBCB13A51B4
SHA-512:	27159C1378FD047D12BB6DFE533A176105D37B1845EFDBFDEF1A6D4F96C4DFEA1C6630B5B62DC522D7F2CC24EC5B0F142DDD19EBBE24F7A62A01A0E275E36F96
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-=...............0..<...f.......Z... ...`....@.. ....................................@.................................2Z..O....`...d...........................=..p............................................ ............... ..H............text....:... ...<.................. ..`.rsrc....d...`...d...>..............@..@.reloc..............................@..B................fZ......H.......Xk...E......5....................................................0............}.....s....}......}.....(.......(......{.....o.....(C........,b..{....r...po......r...po......{....(J......(....o......{.....o......{....r...po.......}.....8U......}.....{....r)..po......r)..po.....(C.....{.....oX......(....o......{.....oZ...o......{.....o^......(....o......{.....o\......(....o......{.....o`......(....o......{.....ob......(....o......u...........,H..{.....o......{....r...po.

C:\Users\user\AppData\Roaming\eeXxnIpy.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SOA-Al Daleel.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.947573023101732
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	SOA-Al Daleel.exe
File size:	959'488 bytes
MD5:	487de74e533bec62ad60b71ed4990b14
SHA1:	68816bdb2128901d938adee5bbbdcfe9ad710bf1
SHA256:	4d7a7d2b1e9422eae20449218fc515b1e526d03f1bbf0d371ad4ffbcb13a51b4
SHA512:	27159c1378fd047d12bb6dfe533a176105d37b1845efdbfdef1a6d4f96c4dfea1c6630b5b62dc522d7f2cc24ec5b0f142ddd19ebbe24f7a62a01a0e275e36f96
SSDEEP:	24576:3t4/d6Itn2xHd9AwO5U92mJKvy8YheLxl+qD9l:3Yd62gMU91KvyCX9v
TLSH:	2415222327A5CB12C93E4FF9C136A4501772FD1628A5C39D2DD6B0FA96B2B304825F67
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-=...............0..<...f.......Z... ...`....@.. ....................................@................................

File Icon


Icon Hash:	66666667e69c310e

Static PE Info

General

Entrypoint:	0x4e5a86
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x9E3D2D85 [Sun Feb 15 23:04:37 2054 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe5a32	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe6000	0x6400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xee000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xe3d10	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe3a8c	0xe3c00	997797e1d6ed825ba755533a2a14bdb6	False	0.971199446007135	data	7.976235825353332	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe6000	0x6400	0x6400	b5ea3ae5e9194fb0e15de0d3f7c9564d	False	0.395546875	data	5.147795841907734	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xee000	0xc	0x200	e12199d472f186b74914aa28a23a1832	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xe61e0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	0.2701612903225806
RT_ICON	0xe64d8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	0.4966216216216216
RT_ICON	0xe6610	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.5439765458422174
RT_ICON	0xe74c8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.6656137184115524
RT_ICON	0xe7d80	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.5021676300578035
RT_ICON	0xe82f8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.3157676348547718
RT_ICON	0xea8b0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.4090056285178236
RT_ICON	0xeb968	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.5859929078014184
RT_GROUP_ICON	0xebde0	0x76	data	0.6440677966101694
RT_VERSION	0xebe68	0x398	OpenPGP Public Key	0.41956521739130437
RT_MANIFEST	0xec210	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 17:48:03.203267097 CEST	49677	443	192.168.2.7	20.50.201.200
Jul 3, 2024 17:48:03.589106083 CEST	49677	443	192.168.2.7	20.50.201.200
Jul 3, 2024 17:48:03.932893038 CEST	49671	443	192.168.2.7	204.79.197.203
Jul 3, 2024 17:48:03.995409966 CEST	49674	443	192.168.2.7	104.98.116.138
Jul 3, 2024 17:48:03.995425940 CEST	49675	443	192.168.2.7	104.98.116.138
Jul 3, 2024 17:48:04.089169025 CEST	49672	443	192.168.2.7	104.98.116.138
Jul 3, 2024 17:48:04.339118004 CEST	49677	443	192.168.2.7	20.50.201.200
Jul 3, 2024 17:48:05.839179039 CEST	49677	443	192.168.2.7	20.50.201.200
Jul 3, 2024 17:48:08.823513031 CEST	49677	443	192.168.2.7	20.50.201.200
Jul 3, 2024 17:48:10.669138908 CEST	49708	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:10.674163103 CEST	587	49708	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:10.674245119 CEST	49708	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:11.594008923 CEST	587	49708	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:11.594904900 CEST	49708	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:11.595489979 CEST	587	49708	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:11.595534086 CEST	49708	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:11.599904060 CEST	587	49708	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:11.758618116 CEST	587	49708	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:11.758793116 CEST	49708	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:11.764245987 CEST	587	49708	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:11.919146061 CEST	587	49708	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:11.926153898 CEST	49708	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:11.931231022 CEST	587	49708	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:12.086302996 CEST	587	49708	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:12.086323977 CEST	587	49708	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:12.086335897 CEST	587	49708	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:12.086349010 CEST	587	49708	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:12.086385012 CEST	49708	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:12.086441040 CEST	49708	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:12.178772926 CEST	587	49708	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:12.222887039 CEST	49708	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:12.227880001 CEST	587	49708	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:12.383338928 CEST	587	49708	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:12.399636984 CEST	49708	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:12.404823065 CEST	587	49708	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:12.559670925 CEST	587	49708	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:12.561415911 CEST	49708	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:12.566557884 CEST	587	49708	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:12.723911047 CEST	587	49708	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:12.725133896 CEST	49708	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:12.730000019 CEST	587	49708	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:12.925925970 CEST	587	49708	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:12.926198006 CEST	49708	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:12.931097031 CEST	587	49708	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:13.088927031 CEST	587	49708	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:13.182898998 CEST	49708	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:13.651676893 CEST	49671	443	192.168.2.7	204.79.197.203
Jul 3, 2024 17:48:13.698518991 CEST	49674	443	192.168.2.7	104.98.116.138
Jul 3, 2024 17:48:13.698529005 CEST	49675	443	192.168.2.7	104.98.116.138
Jul 3, 2024 17:48:13.753437996 CEST	49672	443	192.168.2.7	104.98.116.138
Jul 3, 2024 17:48:13.854036093 CEST	49708	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:14.104731083 CEST	49711	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:14.109601974 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:14.109687090 CEST	49711	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:14.655329943 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:14.656063080 CEST	49711	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:14.661978960 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:14.811686993 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:14.811943054 CEST	49711	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:14.817756891 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:14.886024952 CEST	49677	443	192.168.2.7	20.50.201.200
Jul 3, 2024 17:48:14.966609955 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:14.972779036 CEST	49711	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:14.977803946 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:15.436369896 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:15.436395884 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:15.436407089 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:15.436469078 CEST	49711	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:15.436499119 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:15.436645985 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:15.436702013 CEST	49711	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:15.438484907 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:15.439435959 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:15.439486027 CEST	49711	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:15.494842052 CEST	49711	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:15.499855042 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:15.651171923 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:15.687803984 CEST	49711	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:15.693717957 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:15.874062061 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:15.920413017 CEST	49711	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:15.925403118 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:16.081845045 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:16.136065006 CEST	49711	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:16.199441910 CEST	49711	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:16.205262899 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:16.360378027 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:16.362230062 CEST	49711	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:16.367281914 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:16.519902945 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:16.520153046 CEST	49711	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:16.524967909 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:16.704893112 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:16.705132961 CEST	49711	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:16.709969044 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:16.913655996 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:16.921257019 CEST	49711	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:16.921574116 CEST	49711	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:16.921600103 CEST	49711	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:16.921618938 CEST	49711	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:16.926426888 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:16.926589012 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:16.926599979 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:16.926609039 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:17.214711905 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:17.448537111 CEST	49711	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:17.448539972 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:48:17.448611021 CEST	49711	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:48:24.603090048 CEST	49704	443	192.168.2.7	104.98.116.138
Jul 3, 2024 17:48:24.613979101 CEST	443	49704	104.98.116.138	192.168.2.7
Jul 3, 2024 17:48:26.792382002 CEST	49677	443	192.168.2.7	20.50.201.200
Jul 3, 2024 17:48:44.099287033 CEST	49183	53	192.168.2.7	162.159.36.2
Jul 3, 2024 17:48:44.104240894 CEST	53	49183	162.159.36.2	192.168.2.7
Jul 3, 2024 17:48:44.104346991 CEST	49183	53	192.168.2.7	162.159.36.2
Jul 3, 2024 17:48:44.104373932 CEST	49183	53	192.168.2.7	162.159.36.2
Jul 3, 2024 17:48:44.109329939 CEST	53	49183	162.159.36.2	192.168.2.7
Jul 3, 2024 17:48:44.574497938 CEST	53	49183	162.159.36.2	192.168.2.7
Jul 3, 2024 17:48:44.578984022 CEST	49183	53	192.168.2.7	162.159.36.2
Jul 3, 2024 17:48:44.584225893 CEST	53	49183	162.159.36.2	192.168.2.7
Jul 3, 2024 17:48:44.584280014 CEST	49183	53	192.168.2.7	162.159.36.2
Jul 3, 2024 17:49:54.121217012 CEST	49711	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:49:54.132643938 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:49:54.285662889 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:49:54.286983967 CEST	587	49711	208.91.199.223	192.168.2.7
Jul 3, 2024 17:49:54.287072897 CEST	49711	587	192.168.2.7	208.91.199.223
Jul 3, 2024 17:49:54.290275097 CEST	49711	587	192.168.2.7	208.91.199.223

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 17:48:07.904119015 CEST	60659	53	192.168.2.7	1.1.1.1
Jul 3, 2024 17:48:10.647198915 CEST	54937	53	192.168.2.7	1.1.1.1
Jul 3, 2024 17:48:10.658288002 CEST	53	54937	1.1.1.1	192.168.2.7
Jul 3, 2024 17:48:44.098644972 CEST	53	62739	162.159.36.2	192.168.2.7
Jul 3, 2024 17:48:44.596067905 CEST	54261	53	192.168.2.7	1.1.1.1
Jul 3, 2024 17:48:44.604533911 CEST	53	54261	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 3, 2024 17:48:07.904119015 CEST	192.168.2.7	1.1.1.1	0x5732	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false
Jul 3, 2024 17:48:10.647198915 CEST	192.168.2.7	1.1.1.1	0x967f	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)	false
Jul 3, 2024 17:48:44.596067905 CEST	192.168.2.7	1.1.1.1	0x9e62	Standard query (0)	56.126.166.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 3, 2024 17:48:07.911601067 CEST	1.1.1.1	192.168.2.7	0x5732	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 3, 2024 17:48:10.658288002 CEST	1.1.1.1	192.168.2.7	0x967f	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)	false
Jul 3, 2024 17:48:10.658288002 CEST	1.1.1.1	192.168.2.7	0x967f	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)	false
Jul 3, 2024 17:48:10.658288002 CEST	1.1.1.1	192.168.2.7	0x967f	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)	false
Jul 3, 2024 17:48:10.658288002 CEST	1.1.1.1	192.168.2.7	0x967f	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)	false
Jul 3, 2024 17:48:42.097206116 CEST	1.1.1.1	192.168.2.7	0x2c1a	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jul 3, 2024 17:48:42.097206116 CEST	1.1.1.1	192.168.2.7	0x2c1a	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jul 3, 2024 17:48:44.604533911 CEST	1.1.1.1	192.168.2.7	0x9e62	Name error (3)	56.126.166.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 3, 2024 17:48:11.594008923 CEST	587	49708	208.91.199.223	192.168.2.7	220 us2.outbound.mailhostbox.com ESMTP Postfix
Jul 3, 2024 17:48:11.594904900 CEST	49708	587	192.168.2.7	208.91.199.223	EHLO 928100
Jul 3, 2024 17:48:11.595489979 CEST	587	49708	208.91.199.223	192.168.2.7	220 us2.outbound.mailhostbox.com ESMTP Postfix
Jul 3, 2024 17:48:11.758618116 CEST	587	49708	208.91.199.223	192.168.2.7	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Jul 3, 2024 17:48:11.758793116 CEST	49708	587	192.168.2.7	208.91.199.223	STARTTLS
Jul 3, 2024 17:48:11.919146061 CEST	587	49708	208.91.199.223	192.168.2.7	220 2.0.0 Ready to start TLS
Jul 3, 2024 17:48:14.655329943 CEST	587	49711	208.91.199.223	192.168.2.7	220 us2.outbound.mailhostbox.com ESMTP Postfix
Jul 3, 2024 17:48:14.656063080 CEST	49711	587	192.168.2.7	208.91.199.223	EHLO 928100
Jul 3, 2024 17:48:14.811686993 CEST	587	49711	208.91.199.223	192.168.2.7	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Jul 3, 2024 17:48:14.811943054 CEST	49711	587	192.168.2.7	208.91.199.223	STARTTLS
Jul 3, 2024 17:48:14.966609955 CEST	587	49711	208.91.199.223	192.168.2.7	220 2.0.0 Ready to start TLS

Target ID:	1
Start time:	11:48:06
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\SOA-Al Daleel.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SOA-Al Daleel.exe"
Imagebase:	0x980000
File size:	959'488 bytes
MD5 hash:	487DE74E533BEC62AD60B71ED4990B14
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1351009324.00000000041BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1351009324.00000000041BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:48:07
Start date:	03/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eeXxnIpy.exe"
Imagebase:	0x710000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:48:07
Start date:	03/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:48:07
Start date:	03/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eeXxnIpy" /XML "C:\Users\user\AppData\Local\Temp\tmp2314.tmp"
Imagebase:	0x200000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:48:07
Start date:	03/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:48:08
Start date:	03/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x9d0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:48:08
Start date:	03/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x70000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:48:08
Start date:	03/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0xb70000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1366722684.0000000003020000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1363137995.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1363137995.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1366722684.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1366722684.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:48:09
Start date:	03/07/2024
Path:	C:\Users\user\AppData\Roaming\eeXxnIpy.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\eeXxnIpy.exe
Imagebase:	0xf70000
File size:	959'488 bytes
MD5 hash:	487DE74E533BEC62AD60B71ED4990B14
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1398049009.0000000004450000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.1398049009.0000000004450000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 29%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:48:09
Start date:	03/07/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	11:48:11
Start date:	03/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eeXxnIpy" /XML "C:\Users\user\AppData\Local\Temp\tmp2F78.tmp"
Imagebase:	0x200000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:48:11
Start date:	03/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:48:11
Start date:	03/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x850000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2566283854.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2566283854.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2566283854.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	326
Total number of Limit Nodes:	10

Executed Functions

Function 07483D50 Relevance: 9.0, Strings: 7, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 07484045
$q, xrefs: 07483FDB
Teq, xrefs: 07483DC7
!Y3E, xrefs: 07483E4A
$q, xrefs: 07484039
Teq, xrefs: 07483D81
$q, xrefs: 07483FCF

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID: !Y3E$Teq$Teq$$q$$q$$q$$q
API String ID: 0-510187712
Opcode ID: a0e4e3825407017d65afd66d911dde85e1330e27da624e53479f50866cd8cf89
Instruction ID: 95cbd7ef01b4614791947cbe046371a7d065058885b89d0b3290f66defe6946b
Opcode Fuzzy Hash: a0e4e3825407017d65afd66d911dde85e1330e27da624e53479f50866cd8cf89
Instruction Fuzzy Hash: AAA18374B102098FDB54AF79D8557AE7AF3BBC8B00F25846AE906DB394DE75DC018740

Function 07483D43 Relevance: 5.3, Strings: 4, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Teq, xrefs: 07483DC7
$q, xrefs: 07484039
Teq, xrefs: 07483D81
$q, xrefs: 07483FCF

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID: Teq$Teq$$q$$q
API String ID: 0-3867074480
Opcode ID: 498335cc315804496863703e6c249ffb8b2f088060edecb8d922432f83838dbb
Instruction ID: 52c7dfd29766083d2321698b1c25a19422f3ff65122b445e534c32cbc5ccac0a
Opcode Fuzzy Hash: 498335cc315804496863703e6c249ffb8b2f088060edecb8d922432f83838dbb
Instruction Fuzzy Hash: 7DA18374B102098FDB54AF79D855BAE7AF3BF88B01F25846AE906DB394DE71DC018740

Function 0313F6CE Relevance: 2.7, Strings: 2, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Teq, xrefs: 0313F892
Teq, xrefs: 0313F735

Memory Dump Source

Source File: 00000001.00000002.1350169079.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3130000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID: Teq$Teq
API String ID: 0-2938103587
Opcode ID: f2b696612498d6da2b8f0998bc791c08de5f966602c2225d003ec916054e41d1
Instruction ID: 45b5c3f18915caf5b546249057375bb230827384166182fa56050d4c70067cd0
Opcode Fuzzy Hash: f2b696612498d6da2b8f0998bc791c08de5f966602c2225d003ec916054e41d1
Instruction Fuzzy Hash: F951D335F101158FDB08DB68C895AAEBBB6FF8D300F1540AAE502EB354DB35DD068B91

Function 07483EE3 Relevance: 2.7, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 07484039
$q, xrefs: 07483FCF

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: abfc4554bb2a5aafd3f34ca122c59182904a3602bbaffa5c02e39372a9023a73
Instruction ID: 72b1a3c9478bed1a37dbbbbe74420575c59666dbdf6cd2d117562517eefe5be9
Opcode Fuzzy Hash: abfc4554bb2a5aafd3f34ca122c59182904a3602bbaffa5c02e39372a9023a73
Instruction Fuzzy Hash: 4A518374B102099FDB54AF74D855BAE7AB2FFC8B01F24846AF9069B395CE75DC018B80

Function 0313F718 Relevance: 2.6, Strings: 2, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Teq, xrefs: 0313F892
Teq, xrefs: 0313F735

Memory Dump Source

Source File: 00000001.00000002.1350169079.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3130000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID: Teq$Teq
API String ID: 0-2938103587
Opcode ID: 3d0c447e794675e6b6b2fccd0e3331526e0a96f56556653554971e0ef83ba4cc
Instruction ID: 900d3dfd808976bdb36835ffa120221d0878c2890d05c1475d893e6c950110b7
Opcode Fuzzy Hash: 3d0c447e794675e6b6b2fccd0e3331526e0a96f56556653554971e0ef83ba4cc
Instruction Fuzzy Hash: 2541E475F101158FDB08DBA9C8556BEBBB6FB8D300F15406AE506EB354CB308D428B91

Function 07486438 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

~H@, xrefs: 07486568

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID: ~H@
API String ID: 0-3968150030
Opcode ID: 39016aa1a003efdc52a98fd17f2bd625db33530f6588f463450aacea23e6d6f7
Instruction ID: 4cd866c23fed00c197dd4b84c502c7679f88ea4a1d7e9a69edc554ba01b8ec0e
Opcode Fuzzy Hash: 39016aa1a003efdc52a98fd17f2bd625db33530f6588f463450aacea23e6d6f7
Instruction Fuzzy Hash: 27C136B0B14218CBCBA4CB69C5905AEFBF6EFC5210B1A896FD446DB356C630EC42CB45

Function 0313BB60 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1350169079.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3130000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd4efde627c8dcc313b266d630d8edb1d7d20331e4bf998f0eaa51554b5f052
Instruction ID: b9667f394e1121c6828066b306f8deab6629a04330d8b952b5513fa8be81735a
Opcode Fuzzy Hash: 6cd4efde627c8dcc313b266d630d8edb1d7d20331e4bf998f0eaa51554b5f052
Instruction Fuzzy Hash: FD12B675D0471A8FCB14DF68C880AD9F7B1BF89300F15C6AAD459AB215EB70AAC5CF90

Function 0313BB70 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1350169079.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3130000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a091e07c3eb2a1ed1efd4e50f21cf3cdee0450ea7ecfd772804a6efc91b929fe
Instruction ID: c838c44f86035008ddccab79d144f7ed62bc97d8844fa444102b3b46560dbe1d
Opcode Fuzzy Hash: a091e07c3eb2a1ed1efd4e50f21cf3cdee0450ea7ecfd772804a6efc91b929fe
Instruction Fuzzy Hash: F812B675D0471A8FCB15DF68C880AD9F7B1BF49300F15C6AAD859AB211EB70AAC5CF90

Function 07481060 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfdeeb0aa4bf219855a6d55cb937f81a61394fb4cccba3069b3ad8ac1507d721
Instruction ID: 72e224eb444ce8722ce121a6a5ee2b20e4a17399e490b909a909617b80de76ba
Opcode Fuzzy Hash: dfdeeb0aa4bf219855a6d55cb937f81a61394fb4cccba3069b3ad8ac1507d721
Instruction Fuzzy Hash: 0961CEB122424DCFC789DF28C9808AD7BB6BB86340F52885BD916EB261D730ED478B45

Function 07481053 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d424d07ea488b32abed3901d6120ca7f83dd19e3652e52c56aec8a3e7ee10df
Instruction ID: 1eddf3344c0fd91ca0dd56194f9edd8a25ca1d304ca4e69ff05ef9108b043e4d
Opcode Fuzzy Hash: 2d424d07ea488b32abed3901d6120ca7f83dd19e3652e52c56aec8a3e7ee10df
Instruction Fuzzy Hash: 8261F1B122415DCFC789DF28CA805AD7BB6BB86340F52886BD916EB291D730ED43CB45

Function 07487F18 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749da2d4e1a8574864083fb4cf6167ea43456a939f93315dc5bdc71b26e43faa
Instruction ID: 104fb3ad780695c2cbd779940083f6778ffc58f79b04a82fcaaa075216fc9dcc
Opcode Fuzzy Hash: 749da2d4e1a8574864083fb4cf6167ea43456a939f93315dc5bdc71b26e43faa
Instruction Fuzzy Hash: 5B41A671B1411DDFC785EFE9C9518EEFBB6EF89210F30442BE605EB250D63289428B85

Function 0313FBC8 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1350169079.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3130000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c69ce1a2e3b12c1f7ae82a73d33c89761798c887be464fa44bcbda2843726a
Instruction ID: ba5040b25015f54d8753ab02a73a5f990fa550f04f34b55da03b62184e290db7
Opcode Fuzzy Hash: e0c69ce1a2e3b12c1f7ae82a73d33c89761798c887be464fa44bcbda2843726a
Instruction Fuzzy Hash: 0741B775E042158FC708CFA9D5919BEFBF6EB8D200F168067E806E7251C775CD528B51

Function 07487F28 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2b89a1f33a5f2a6518d998046739bd1c3e596ad22cceca7c21b7f3fc1023e9
Instruction ID: bd852c5c0a8cbba2f2de1ba24d6558572276bfc5f333bb6ad3df3439b04d1294
Opcode Fuzzy Hash: bd2b89a1f33a5f2a6518d998046739bd1c3e596ad22cceca7c21b7f3fc1023e9
Instruction Fuzzy Hash: C641A675A1411DDBC785AFE9C9518EEFBB6EF89210F70442BE609EB250C6318D428B85

Function 01605E87 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1349535372.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 663487efb59faa31b9bd9c3cf9a5b1feeac537cd11f306a724c6a8f9553a0842
Instruction ID: 184f4a10252057ad914752a25b2080e1dc98ddad163cd0fae799396c5ef9e961
Opcode Fuzzy Hash: 663487efb59faa31b9bd9c3cf9a5b1feeac537cd11f306a724c6a8f9553a0842
Instruction Fuzzy Hash: 17E04F2885E2498FC716DA60AD641F27FB8DF1B140F042599884AA6192EA20851A9A15

Function 01605E1B Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1349535372.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63ffaca53a1f46b352827c36001cfe88a0869f30cf320a5815d43e3c330a6748
Instruction ID: 3ccc42cc3ac564e924da611eadbc6ffc000d6876b71ae4897eba48fdf57b1c83
Opcode Fuzzy Hash: 63ffaca53a1f46b352827c36001cfe88a0869f30cf320a5815d43e3c330a6748
Instruction Fuzzy Hash: 2FE0862484D244CFC61ADE609D541F27FBCDF1B140F047489884F57142D96085179E15

Function 01605D8A Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1349535372.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd183ce6ec73fc0fbecbeeeca40219ed23f1ec1cf314750fa591f3977f6145f1
Instruction ID: 4ac28887c980b774e23bb4c2266481b803a618f78b9eb6cc0cab92a2ab2679a7
Opcode Fuzzy Hash: dd183ce6ec73fc0fbecbeeeca40219ed23f1ec1cf314750fa591f3977f6145f1
Instruction Fuzzy Hash: 19E04F3884E249DFC70ACF20DC546B6BFF89B0B310F04A45AC80BA72D2DE30995ADE05

Function 0136D429 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0136D4B6
GetCurrentThread.KERNEL32 ref: 0136D4F3
GetCurrentProcess.KERNEL32 ref: 0136D530
GetCurrentThreadId.KERNEL32 ref: 0136D589

Memory Dump Source

Source File: 00000001.00000002.1349290994.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1360000_SOA-Al Daleel.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ea40ffc4cace7b47e9cb39c60ae8ae617449563dec1ec9754badf3bdd94ab90e
Instruction ID: 28e9e2be340d12718c54af9755867fe1b4752cd5d7eea528c9aedf4b8844f734
Opcode Fuzzy Hash: ea40ffc4cace7b47e9cb39c60ae8ae617449563dec1ec9754badf3bdd94ab90e
Instruction Fuzzy Hash: FE5178B0E00309CFEB14DFAAD548BAEBBF5EF88304F208059E519A7290DB746945CF65

Function 0136D438 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0136D4B6
GetCurrentThread.KERNEL32 ref: 0136D4F3
GetCurrentProcess.KERNEL32 ref: 0136D530
GetCurrentThreadId.KERNEL32 ref: 0136D589

Memory Dump Source

Source File: 00000001.00000002.1349290994.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1360000_SOA-Al Daleel.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1de5434329dde126fcc4bce1ccb63aff8a9737a1fee69452e4b50806d68ebe7b
Instruction ID: ef86bc63a7d0330175562a3a49a0c9822a14b17687c0e68c690c13f577c7288a
Opcode Fuzzy Hash: 1de5434329dde126fcc4bce1ccb63aff8a9737a1fee69452e4b50806d68ebe7b
Instruction Fuzzy Hash: A75166B0E00309CFDB14DFAAD548B9EBBF5EF88304F208459E519A7250DB74A945CF65

Function 07483F41 Relevance: 2.6, Strings: 2, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 07484039
$q, xrefs: 07483FCF

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 83b7b17fc69b49dbb98dd2f99d133f6661b5766777346b994c8a034bd5097920
Instruction ID: d118574bc0893e40867db54a70e6b372c1e1aa8f5ba9d9f34f3ae5ee183a4d7f
Opcode Fuzzy Hash: 83b7b17fc69b49dbb98dd2f99d133f6661b5766777346b994c8a034bd5097920
Instruction Fuzzy Hash: 97518034B003099FDB54AF74D855BAE7AB3BFC8B01F24842AE906AB395DE31DC018B50

Function 07483F7B Relevance: 2.6, Strings: 2, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 07484039
$q, xrefs: 07483FCF

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 99531fbc1d859eeb3aee71c2e5e0244fe32e4b52293fe21cb33a394360b4b1a6
Instruction ID: a13ae1fa164dc3d88a0c5aaf4aada4a99f955a2d580bb02e95108427ca54ada1
Opcode Fuzzy Hash: 99531fbc1d859eeb3aee71c2e5e0244fe32e4b52293fe21cb33a394360b4b1a6
Instruction Fuzzy Hash: 7E419134B003099FDB54AF74D855BAE7AB3BFC8B01F24846AE906AB395CE31DC018B50

Function 01602284 Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 016024C6

Memory Dump Source

Source File: 00000001.00000002.1349535372.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_SOA-Al Daleel.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7b13e48cffe7280a6ec3dc2413308315ee38c4375814532b1b24bbba001ab45e
Instruction ID: 6124fe9cc86667cceb7cf9917b1ff32a74b074d25b03e506ece42e4bd02d4b7c
Opcode Fuzzy Hash: 7b13e48cffe7280a6ec3dc2413308315ee38c4375814532b1b24bbba001ab45e
Instruction Fuzzy Hash: 96A15B71D007198FEB29CF68CC547EEBBB2BF48310F1581A9D809A7280DB759985CF91

Function 01602290 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 016024C6

Memory Dump Source

Source File: 00000001.00000002.1349535372.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_SOA-Al Daleel.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d59bddd345b10962c5c43838910d2141e9a537dae3b1dd0f8a77eb7fdf56dc2e
Instruction ID: c433126bfc10a3ae4f98173d2ac94012791eecf4477538c631271eff9322e332
Opcode Fuzzy Hash: d59bddd345b10962c5c43838910d2141e9a537dae3b1dd0f8a77eb7fdf56dc2e
Instruction Fuzzy Hash: C7916C71D007198FEB2ACF68CC5479EBBB2BF48310F1481A9D809A7284DB759985CF91

Function 0136ADA8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0136AFFE

Memory Dump Source

Source File: 00000001.00000002.1349290994.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1360000_SOA-Al Daleel.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 64570100ab3e9e7e0a49a48714ca09f538d0d429ea86402fd3d03cd411b82bcc
Instruction ID: 012a9b72c2f8b340c86b3f4b06a88d5a1fa28555392bcba81ae35f523c3d9162
Opcode Fuzzy Hash: 64570100ab3e9e7e0a49a48714ca09f538d0d429ea86402fd3d03cd411b82bcc
Instruction Fuzzy Hash: B9813970A00B058FD724DF2AD45475ABBF5FF88208F00892DD58AEBA54D775E846CF91

Function 0136590C Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 013659C9

Memory Dump Source

Source File: 00000001.00000002.1349290994.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1360000_SOA-Al Daleel.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ef77b96b14a25f5e0df887389a81d0a77afa62df9190b2882d1a1cb893563ead
Instruction ID: 8ad4c97ecd2235929400349206e3a4b92dbda5259dc4e768e23713bfe218187b
Opcode Fuzzy Hash: ef77b96b14a25f5e0df887389a81d0a77afa62df9190b2882d1a1cb893563ead
Instruction Fuzzy Hash: BA412171C00729CBEB24CFAAC885BCEBBF5BF48304F20816AD508AB254DB756946CF50

Function 013644E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 013659C9

Memory Dump Source

Source File: 00000001.00000002.1349290994.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1360000_SOA-Al Daleel.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: cc4bcfbcaf7caf1198f8de41963e84db6130b0a0535f28dafae932836619d266
Instruction ID: 8eece0a310d6a99cbc39f433574ad51323da15c1addd47bbe28cc6348dd9d99c
Opcode Fuzzy Hash: cc4bcfbcaf7caf1198f8de41963e84db6130b0a0535f28dafae932836619d266
Instruction Fuzzy Hash: 4E410571C0071DCBEB24DFA9C84478EBBF5BF49304F208169D509AB255DB756946CF90

Function 01601CF0 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01601D78

Memory Dump Source

Source File: 00000001.00000002.1349535372.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_SOA-Al Daleel.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ebd88f2759a30952f4fdd116b138a40e272b57d4abaf2a4ae9da97a4f4398f02
Instruction ID: edfa3a41013da2d531933a253f48a5f3a00d5c9ca6667de7cd3932905d9003f4
Opcode Fuzzy Hash: ebd88f2759a30952f4fdd116b138a40e272b57d4abaf2a4ae9da97a4f4398f02
Instruction Fuzzy Hash: B1218572D003498FCB15DFA9C880BEEBBF5FF49320F14842AE958A3291C7399901CB60

Function 01601C01 Relevance: 1.6, APIs: 1, Instructions: 75injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 01601C98

Memory Dump Source

Source File: 00000001.00000002.1349535372.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_SOA-Al Daleel.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a5b7a7ed716b4341e5bad96e0dbdd228709ecedca1e7778399311ac749966c35
Instruction ID: 55d3a4388b0b37ed3f6e38b0b4dcc894cc6907b014e978b03c2cc60ca008c8b4
Opcode Fuzzy Hash: a5b7a7ed716b4341e5bad96e0dbdd228709ecedca1e7778399311ac749966c35
Instruction Fuzzy Hash: 0A312671D003099FDB14CFA9C885BEEBBF5FF48310F10852AE919A7280D7799941DBA0

Function 01601C08 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 01601C98

Memory Dump Source

Source File: 00000001.00000002.1349535372.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_SOA-Al Daleel.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5895ff3ab2090c4a34807f318f6b80aa1e90f1917123efa414b6fc16711f0e14
Instruction ID: 17fc65a2e7b521a922a64cc6defb2d06678008b5d7b29ed0c28fc480bbe27c53
Opcode Fuzzy Hash: 5895ff3ab2090c4a34807f318f6b80aa1e90f1917123efa414b6fc16711f0e14
Instruction Fuzzy Hash: 0D212771D003099FDB14DFAAC885BEEBBF5FF48310F508429E919A7280C7799941CBA4

Function 01601630 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 016016B6

Memory Dump Source

Source File: 00000001.00000002.1349535372.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_SOA-Al Daleel.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7b5f613f017c86c2f1514932d37ede544676702f559f347818c898734d184c46
Instruction ID: ab5a9bfca3d4c52ebab8df41297cd02ab6bf9b18a06146cdefdb900fd5d2249b
Opcode Fuzzy Hash: 7b5f613f017c86c2f1514932d37ede544676702f559f347818c898734d184c46
Instruction Fuzzy Hash: 03213671D103098FDB24DFA9C885BEEBBF4EB49310F14842AD559A7280CB789945CFA0

Function 0136D678 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0136D707

Memory Dump Source

Source File: 00000001.00000002.1349290994.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1360000_SOA-Al Daleel.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d1e67439f700918c14b28e82bb6238a02d3f9a506aa9184d5319797c422a56a9
Instruction ID: 187658d2be7995e9e370f25e1757bae8aae540b7fd9fe6eea2bb7901db0554d6
Opcode Fuzzy Hash: d1e67439f700918c14b28e82bb6238a02d3f9a506aa9184d5319797c422a56a9
Instruction Fuzzy Hash: E52105B5D002489FDB10CF9AD884ADEBFF9EB48310F14802AE914A3350D378A945CF61

Function 01601CF8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01601D78

Memory Dump Source

Source File: 00000001.00000002.1349535372.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_SOA-Al Daleel.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8e7258cf505990e5e4a63133a686f88a35cbef71e476b35720ba06a10a26a9c9
Instruction ID: 7a9d7373e1d4066a21c687d270c312384cf288f56fece3e814cd5e55c58636a7
Opcode Fuzzy Hash: 8e7258cf505990e5e4a63133a686f88a35cbef71e476b35720ba06a10a26a9c9
Instruction Fuzzy Hash: 58211471C003499FDB14DFAAC881BEEBBF5FF48310F54842AE919A7280C7799901DBA5

Function 01601638 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 016016B6

Memory Dump Source

Source File: 00000001.00000002.1349535372.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_SOA-Al Daleel.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7086a85143f7db00dbe3748b0e43a119665282bef1a1a16c5fb5e92c9fa1494e
Instruction ID: dfd9768bb8f1b511dca135a78feaf5c9ed10aaeda06b0aba1a7d0523aa31ab23
Opcode Fuzzy Hash: 7086a85143f7db00dbe3748b0e43a119665282bef1a1a16c5fb5e92c9fa1494e
Instruction Fuzzy Hash: 88213471D003098FDB14DFAAC885BAEBBF4EF48320F54842AD519A7380CB789945CFA4

Function 0136D680 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0136D707

Memory Dump Source

Source File: 00000001.00000002.1349290994.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1360000_SOA-Al Daleel.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 520b21d9d1400526ed6134757c701e91b58d0b91631fe48b8a12f01a6fe7cdb6
Instruction ID: d96995c27e708659efc825aabb953a9cf01998a05d9a338bd565908d7984d4d5
Opcode Fuzzy Hash: 520b21d9d1400526ed6134757c701e91b58d0b91631fe48b8a12f01a6fe7cdb6
Instruction Fuzzy Hash: 0E21E4B5D002489FDB10CF9AD884ADEFFF8EB48310F14841AE954A3350D379A944CF65

Function 01601B41 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01601BB6

Memory Dump Source

Source File: 00000001.00000002.1349535372.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_SOA-Al Daleel.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ba7dce6b2c579de6c1f905339661f2ec550ed3a76a31a39b77532b5bc832a8b1
Instruction ID: 4cc3188b6ada5ce68a366733a663f92290c422e9e324dbe04b73c5c7169372bd
Opcode Fuzzy Hash: ba7dce6b2c579de6c1f905339661f2ec550ed3a76a31a39b77532b5bc832a8b1
Instruction Fuzzy Hash: 912113759003098FDB24DFA9C844BEEBBF5EF88320F14842AE555A7250C7759901CB90

Function 0136A168 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0136B079,00000800,00000000,00000000), ref: 0136B28A

Memory Dump Source

Source File: 00000001.00000002.1349290994.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1360000_SOA-Al Daleel.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c0740f3bffff34a74cdacfd3aa97229eddf23763d0ebe2056ba1345b52c326a8
Instruction ID: 96fb5dade237dd72b6743f01d8e5577d661069cd2352b82483d3383a62bbf4ea
Opcode Fuzzy Hash: c0740f3bffff34a74cdacfd3aa97229eddf23763d0ebe2056ba1345b52c326a8
Instruction Fuzzy Hash: C51112B6D003098FDB20DF9AD484B9EFBF8EB48314F14842AE919A7200C375A945CFA5

Function 0136B219 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0136B079,00000800,00000000,00000000), ref: 0136B28A

Memory Dump Source

Source File: 00000001.00000002.1349290994.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1360000_SOA-Al Daleel.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1f320f650cb4afebbd02288e3e2f2acf58cdf40c1d68be53981678126208b6d9
Instruction ID: 422ee78bcd22de9ba61e46946944691990f64710a0388a91650590efa863db5e
Opcode Fuzzy Hash: 1f320f650cb4afebbd02288e3e2f2acf58cdf40c1d68be53981678126208b6d9
Instruction Fuzzy Hash: F61112B6D002498FDB24DFAAC844BDEFBF8EB88310F14842AD919A7210C375A545CFA5

Function 01601B48 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01601BB6

Memory Dump Source

Source File: 00000001.00000002.1349535372.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_SOA-Al Daleel.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5625d08bc12ead64c4007bcd2708632aab56e68945ab4ca2bb72178912634c62
Instruction ID: 2a2063604d1b39e15f24b8cf6530f28c8b5914d8454b60d0d43a2d86d2dadba9
Opcode Fuzzy Hash: 5625d08bc12ead64c4007bcd2708632aab56e68945ab4ca2bb72178912634c62
Instruction Fuzzy Hash: FE1114758003499FDB24DFAAC845BDFBBF5EB48320F148819E519A7250CB759941CBA0

Function 01601586 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 016015EA

Memory Dump Source

Source File: 00000001.00000002.1349535372.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_SOA-Al Daleel.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 53a22e2e72b27e8624fcb5b876bbdca2c8a5856b46fcd02a862a11b1e0f0f836
Instruction ID: 5357a41a401ccb653d929c2768f9e0bd3c1b758dc56e71a3da41e95cbd888e07
Opcode Fuzzy Hash: 53a22e2e72b27e8624fcb5b876bbdca2c8a5856b46fcd02a862a11b1e0f0f836
Instruction Fuzzy Hash: CB110471D003498FDB24DFAAC8457EFBBF5AB88324F24842AD519A7240CB759941CF94

Function 01601588 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 016015EA

Memory Dump Source

Source File: 00000001.00000002.1349535372.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_SOA-Al Daleel.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5157bb3917e7392739e3b06a4b7f521f02c64508248e84db295f548fc0d6d4f4
Instruction ID: df3eb5c4d83ac5e0a33984201f65290b07d034ff5760d869c6c4842380ab50b2
Opcode Fuzzy Hash: 5157bb3917e7392739e3b06a4b7f521f02c64508248e84db295f548fc0d6d4f4
Instruction Fuzzy Hash: B1112871D003498FDB24DFAAC84579FFBF5EB48320F248419D519A7240CB75A941CF94

Function 01606850 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 016068B5

Memory Dump Source

Source File: 00000001.00000002.1349535372.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_SOA-Al Daleel.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ef7c698e369fde7eecb7c833e5c3175d1a78e0ea72797b5233d09eaca48dac70
Instruction ID: b91661d6031726947a1606c793465dc42e520d17ab4af55d2f07ddaadad4558a
Opcode Fuzzy Hash: ef7c698e369fde7eecb7c833e5c3175d1a78e0ea72797b5233d09eaca48dac70
Instruction Fuzzy Hash: CA1113B5C003498FDB20CF99C845BDFBBF4EB48320F24841AD414A3250C375A944CFA1

Function 0136AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0136AFFE

Memory Dump Source

Source File: 00000001.00000002.1349290994.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1360000_SOA-Al Daleel.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 94393eb600487b6ec76d8f7f9e81a025189108ae11af39875e420fb04f953f0e
Instruction ID: 8ca3eab6d39ed7c18c754bd8ba5aab6f108b1226b088edc885d34a7cd25555f7
Opcode Fuzzy Hash: 94393eb600487b6ec76d8f7f9e81a025189108ae11af39875e420fb04f953f0e
Instruction Fuzzy Hash: DE110FB5C002498FDB20DF9AC844B9EFBF8EB88324F10842AD529A7254C379A545CFA1

Function 01601FD4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 016068B5

Memory Dump Source

Source File: 00000001.00000002.1349535372.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_SOA-Al Daleel.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f2ca9a9b9d60c393f209c7959d4c7be8afaf34a391b402e6ccf86118c01bacb4
Instruction ID: d1e3961d699b000bcc1ecab1edede83e729c18f64c4df2b7d8978e1fcc70c3e9
Opcode Fuzzy Hash: f2ca9a9b9d60c393f209c7959d4c7be8afaf34a391b402e6ccf86118c01bacb4
Instruction Fuzzy Hash: B111F5B58003499FDB10DF9AC845BDFBBF8EB48320F108419E515A7740C375A954CFA1

Function 07483528 Relevance: 1.5, Strings: 1, Instructions: 235COMMON

Download Yara Rule

Strings

Hq, xrefs: 07483646

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID: Hq
API String ID: 0-1594803414
Opcode ID: 3268ad402601d9c0ca632535aa6f1f458ed5a86bd930e4c8d226577854ffb744
Instruction ID: 68e5fb4de1408ec0ae6dcb79f00e6d0574bcbeb2f2f79707d6d1c4b9a04c4f6e
Opcode Fuzzy Hash: 3268ad402601d9c0ca632535aa6f1f458ed5a86bd930e4c8d226577854ffb744
Instruction Fuzzy Hash: 46916C74A002498FCB05DFA8C8909EEBBF5EF89704B14C06AE909EB351E735DD06CB91

Function 07483B04 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

Teq, xrefs: 07486B49

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: 3b9d61dac99bb7c11a80c8e2462480c0dcb6e4bdc44373c93c6ac0de41549043
Instruction ID: 680d30c7ca816a27ca45143e897ddfca0adadd68465b8f748e372bf302c407da
Opcode Fuzzy Hash: 3b9d61dac99bb7c11a80c8e2462480c0dcb6e4bdc44373c93c6ac0de41549043
Instruction Fuzzy Hash: E451E071B0020A8FCB54EB7998445BFBBB6EFC8324715852AE419DB391DB309C0587A1

Function 0748B2B0 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

Teq, xrefs: 0748B328

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: 1b52d110150c5ce46dc0d01343d5b8f8f223d361f25fb43cbb7c1c27dd9d3707
Instruction ID: 1813b10fbfe510fe7077f1391fa01941a8b2b530e3883376f8df5378f17cbf12
Opcode Fuzzy Hash: 1b52d110150c5ce46dc0d01343d5b8f8f223d361f25fb43cbb7c1c27dd9d3707
Instruction Fuzzy Hash: 3531F8B4E1420C8FDB44DFAAC8556EEBBB6FF8A300F14942AD419AB354DB705806CF40

Function 0748323B Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

4'q, xrefs: 0748324F

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 7bbef30ebfc3344b0aed794d6a3816d76901120dc024b963726c52e540921c88
Instruction ID: 2462cbf33a341d0ccc5d77260fa62a563d827e240123d19a5569ffc6e54249aa
Opcode Fuzzy Hash: 7bbef30ebfc3344b0aed794d6a3816d76901120dc024b963726c52e540921c88
Instruction Fuzzy Hash: 602192357102268BD714EBA9D840BAFB7EAFFC8B14F10812AD908DB355DAB19C0687D1

Function 07486908 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Teq, xrefs: 07486973

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: 4c17697b09922d3f40b1aa4a4e275c6add33c44ed8c72fad0bc08b543f5f0674
Instruction ID: 8e8a0fcf78d541e67d2e0945b99d99282b718f3347d60d251e4d78003a7042e8
Opcode Fuzzy Hash: 4c17697b09922d3f40b1aa4a4e275c6add33c44ed8c72fad0bc08b543f5f0674
Instruction Fuzzy Hash: 4D111F71B002198BCBA4EBB998117FFBBB6AB89311F14446AC554E7344EB318D11CB91

Function 0748279F Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8acb96b0130e60b57869c6d44bbff49ec51b9ac56daeb9d53d498c7c111dc03
Instruction ID: 8593d540d28111c2868ad8b61dcb3d7db75532d22fe1ff7082443e48d7be780a
Opcode Fuzzy Hash: c8acb96b0130e60b57869c6d44bbff49ec51b9ac56daeb9d53d498c7c111dc03
Instruction Fuzzy Hash: 65B1AC75614B048FC309EB38D454ADEBBE2FF89300B5585AED45A8F361DB30E94ACB91

Function 07482E16 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 135dc410b0ff50e0736bc408ade559db467b6081fb4c75014f6981b83b19574a
Instruction ID: 56858cb9c3a9926d0de91f2648d8c272ab5890f306668ab96658d98cbb7328a3
Opcode Fuzzy Hash: 135dc410b0ff50e0736bc408ade559db467b6081fb4c75014f6981b83b19574a
Instruction Fuzzy Hash: BEA17B74614B048FC319EB38D454ADE7BE2FF89300B5585AED45A8F361EB30AD4ACB91

Function 07482E56 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc5efd605aa4010eba88c0bc1b652636f1dbfaf48905ef5d662794a2ef9dab7b
Instruction ID: 3071a22cbe43233fcb1a0bcf0bc751f91221478cf2429407cd5cf79046facb8d
Opcode Fuzzy Hash: fc5efd605aa4010eba88c0bc1b652636f1dbfaf48905ef5d662794a2ef9dab7b
Instruction Fuzzy Hash: 46916A34614B048FC319EB38D454ADEBBE2FF89300B5485AED45A8F361DB30AD4ACB91

Function 07482EB0 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2aa3434310ce0da6388be54a197cd3c117065f2be6d3ba0e265952e195c43d5
Instruction ID: bbe0bc2b068ee53ef307bc513bf1fffa47c2cdb17e12d2b7d4df6601c907a927
Opcode Fuzzy Hash: b2aa3434310ce0da6388be54a197cd3c117065f2be6d3ba0e265952e195c43d5
Instruction Fuzzy Hash: 82812974610B048FC759EB38C454A9EBBE6FFC9301B50856DE45A8B360EF31AD4ACB91

Function 07484C87 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 054e10abff6d548ad6a420fc71f5bceaee953ec27c8bc81c15b571774fe15f04
Instruction ID: 4de1d351dd206619d168c2b209b2391098f1ad718eebf30015e62d143486e9fa
Opcode Fuzzy Hash: 054e10abff6d548ad6a420fc71f5bceaee953ec27c8bc81c15b571774fe15f04
Instruction Fuzzy Hash: 5851DFB4909389DFC346DF69E554A99BFF0AF8A200B2A80D6D484CB3B3CB359D15D712

Function 0748BA50 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdadabdd11bc1c2d40a46983d315be34da3bb28504301883d445e080c5764788
Instruction ID: d78d2d7e0ef92bc096513494c93ad51bdaa7df583dda4dbfc85e87986f11c734
Opcode Fuzzy Hash: fdadabdd11bc1c2d40a46983d315be34da3bb28504301883d445e080c5764788
Instruction Fuzzy Hash: 2341F7F4E182098FDB44EFAAC4406FEBBF6EB8E310F14D46AD419A6355DB344942CB58

Function 07484E3B Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a13a353d4c04c0050209990c912aad97f96914b1bbd7d09bb283b333442525f1
Instruction ID: f7931d34d70f07f581073166fe1b68d3ecedb6aae7357587f1c03ab2242eb026
Opcode Fuzzy Hash: a13a353d4c04c0050209990c912aad97f96914b1bbd7d09bb283b333442525f1
Instruction Fuzzy Hash: A441E5B4D2525EDFCB80EFA8E4848FEBBB4FB4E210F019856E516A7311D7309811CB64

Function 07488B92 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a280141acfcb63e0e3f40944e884e98eec586a03de63deca1736f4361620dddb
Instruction ID: 45ea7534ec29d344cb69a4ce324007dcbd2f7d5cb9f098d305e34d00c9c951a4
Opcode Fuzzy Hash: a280141acfcb63e0e3f40944e884e98eec586a03de63deca1736f4361620dddb
Instruction Fuzzy Hash: 8D41AFB4E1421D9FCB40EFA8D5809EEBBF5BF49300F648916E419EB345D730A982CB50

Function 07484E48 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9169bba42c39716501fc333907f6146cb114a9e1fa2a04b9c4b627edc4722d1
Instruction ID: f1cf43bc82315349473299cded55e1adaf121b6f84d94d9103cc3e3196ce3ba3
Opcode Fuzzy Hash: c9169bba42c39716501fc333907f6146cb114a9e1fa2a04b9c4b627edc4722d1
Instruction Fuzzy Hash: FA41C5B4D2525EDFCB80EFA8E4848FEBBB4FB4E210F419856E516A7311D7309811CB64

Function 0748726C Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f7ec6b6133abe60cf5de092e4ae7a6e30a91fd6ddd61d190f82dba81aa1d514
Instruction ID: 04efd1ceac4beef285d88789176f58adc9509fe63ab88e6435c7ccc927af8c69
Opcode Fuzzy Hash: 2f7ec6b6133abe60cf5de092e4ae7a6e30a91fd6ddd61d190f82dba81aa1d514
Instruction Fuzzy Hash: 673107B1A1834CAFDB46FBB4CC549AE7FB8DF42214B6444DBE404CB392EA309D459762

Function 0748570B Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883494e8c603299c2c8da03b5d0dee30a37f90dabe5481a567f6cea01e5672f7
Instruction ID: ee48c7255fb505ae358a3fe4d949875d5e3bc861eaf2def9816a94bbdc029682
Opcode Fuzzy Hash: 883494e8c603299c2c8da03b5d0dee30a37f90dabe5481a567f6cea01e5672f7
Instruction Fuzzy Hash: DB418AB4E1121DDFCB45DFA9D884AEEFBB2BB0A300F509426E81AF7210DB349951DB14

Function 07484FC6 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f075373932b197e2f1ee05d3b6585a1ba16e96eada0ad0cf61fd48eb8686b6b
Instruction ID: f4b77f9949ce7f65d44f28045efa06c69c81bce134247b966815cfde9a56f066
Opcode Fuzzy Hash: 9f075373932b197e2f1ee05d3b6585a1ba16e96eada0ad0cf61fd48eb8686b6b
Instruction Fuzzy Hash: EB41C4B4D2525EDFCB80EFA8E4848FDBBB4FB4E241F01985AE516A7251DB309911CB24

Function 0748729C Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b9fac461f7e9b2ff6b612dc6dbbca9a4280b85979b5d29f50f745d5ec16c2e5
Instruction ID: 0eca57a1d712685695686bcb41dfcb3392ff71ce996fbf5eaeac74e111e1c65f
Opcode Fuzzy Hash: 4b9fac461f7e9b2ff6b612dc6dbbca9a4280b85979b5d29f50f745d5ec16c2e5
Instruction Fuzzy Hash: 2231F8A1B142158FDB5D7BB958342AF259BEFC5250794482FEA06DB3D0DD28CC4383AB

Function 074872D4 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a13ec127d34305620e6c85e76fa8979ce9bd4ce93683de0f0461f5b661e81c6
Instruction ID: 4aa74c9b87eb3a278f2227ef5945fdca060fe9fa0db76592735fd3090cfb222e
Opcode Fuzzy Hash: 4a13ec127d34305620e6c85e76fa8979ce9bd4ce93683de0f0461f5b661e81c6
Instruction Fuzzy Hash: 2A316AB1900209AFCF10EFAAD844ADEBFF9EB48310F50852AE415A7210C735A941CFA5

Function 07483518 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7720e2d8d08e55158afd0b0b528a5537608f48dec50ed7d26fdeefa90c32172
Instruction ID: 7f3c03679540b09844f95da2a3ad90abe1b811564920dfd01eb260b340e16725
Opcode Fuzzy Hash: e7720e2d8d08e55158afd0b0b528a5537608f48dec50ed7d26fdeefa90c32172
Instruction Fuzzy Hash: A1319075A002098FDB05EF64C880AEE7BF6EF49704F1580AAE905AB361DB35ED05CB50

Function 07485073 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693c68d054962f037796983e68e847e882c68a772f5c71422750bc60ddd65d8a
Instruction ID: f6bb59cf66b2f839632487346c1693b2664a8957c6abe1f3d2a1fed86df7a20e
Opcode Fuzzy Hash: 693c68d054962f037796983e68e847e882c68a772f5c71422750bc60ddd65d8a
Instruction Fuzzy Hash: 1A31DAB4E2424DDFCB40EFA8D4859EDFBB5EB4A340F109816D816AB315E7309956CF50

Function 07481430 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3456968fd2533bfb6ecdb2e575f76786dee8184dcf56285cb6a8ecc2111df5af
Instruction ID: 7af7555796a205bc8c4ed664cf9ca8acd7f2406941e6fdcd24a53c768181efdf
Opcode Fuzzy Hash: 3456968fd2533bfb6ecdb2e575f76786dee8184dcf56285cb6a8ecc2111df5af
Instruction Fuzzy Hash: 9521AFB270478D17D3299739CC0455FBFEAEFC6A5570DC06FD049CB211DA20D8028390

Function 0108D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1348631137.000000000108D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_108d000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572bef47423057f7a2bd20451d57b8659d1a2b4c4e0e7bef43368302e6c7581d
Instruction ID: ba38bcbd05a65d4ccc947734a5d5737dd324a9b04349d8198bd078547dc91301
Opcode Fuzzy Hash: 572bef47423057f7a2bd20451d57b8659d1a2b4c4e0e7bef43368302e6c7581d
Instruction Fuzzy Hash: 5D21D671508240DFDB15EF54D9C0F2ABFA5FB84318F24C6AAD9850B296C336D456CBB2

Function 0108D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1348631137.000000000108D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_108d000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d583799936164e9bd425c4441d4138403cb3f8b5326fe393235098b50ac7b2e2
Instruction ID: 6febea3514e1e200ad96aaa074228a771e3bf55b492c2a23ca89df33620e3450
Opcode Fuzzy Hash: d583799936164e9bd425c4441d4138403cb3f8b5326fe393235098b50ac7b2e2
Instruction Fuzzy Hash: BE214B71508204DFDB05EF48D9C0B56BFA5FB94324F20C2ADD9890F296C736E446CBA1

Function 0129D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1349039854.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_129d000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a249a3bb2c33ee79f6889b143116038de46eacea2664cf0d6d021cccf4fba3
Instruction ID: 2ee02e226035370800026f12803df7680f0be8254547d40067a69da70f4f7d72
Opcode Fuzzy Hash: b6a249a3bb2c33ee79f6889b143116038de46eacea2664cf0d6d021cccf4fba3
Instruction Fuzzy Hash: 7A213071614308DFDF14DF68D884B16BB61EB84314F20C56DD90A0B282C33AD807DA62

Function 0129D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1349039854.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_129d000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 014f8589962d5b9e9e8f001a573cb403b4b4d6cef5deff998492d99a29839ccc
Instruction ID: 9191db5a94ebbb8ce4acdf4e636abdb926bb220fc818aadf340755094a60730b
Opcode Fuzzy Hash: 014f8589962d5b9e9e8f001a573cb403b4b4d6cef5deff998492d99a29839ccc
Instruction Fuzzy Hash: E5213775A14308DFDF05DF98D9C0B15BB61FB84324F20C5ADD9094B287C376D806DA61

Function 07483170 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2711db0e6ac9db2bc769ca0bbf1e8bbcc0feeb92bdabfb6f1079e4319e3f61fe
Instruction ID: 234eb0b97f7bac9a9ee6130e40dbbe508cc24e69c84361ffaace2269dfec6b26
Opcode Fuzzy Hash: 2711db0e6ac9db2bc769ca0bbf1e8bbcc0feeb92bdabfb6f1079e4319e3f61fe
Instruction Fuzzy Hash: B4216A75A007159FC320DF65D880ABBBBF9FF89750B00856DE919DB320E774A906CBA1

Function 07486B8F Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88ae1faa6a018738202429100371cf1591d8bb657d7941df0f0345f638bed0aa
Instruction ID: 0682d33d7ad804da68211b2c9e00fd1b676fb87d7efc63dfe7350fca2bc286c1
Opcode Fuzzy Hash: 88ae1faa6a018738202429100371cf1591d8bb657d7941df0f0345f638bed0aa
Instruction Fuzzy Hash: CF31DFB0C1131C9BDB60DF99D588BCEBBF5EB08314F24842AE408AB341C7B55845CBA5

Function 07483CA4 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f5d8f2b345a6c04d1360527b18fb3a19f40ede2850fecc9afb34428bbb4822
Instruction ID: 4740e4079bf5f285564327a775a7f171cc27ceee34c5e5052e15a92b1260d212
Opcode Fuzzy Hash: a4f5d8f2b345a6c04d1360527b18fb3a19f40ede2850fecc9afb34428bbb4822
Instruction Fuzzy Hash: EA31DFB0C1131C9BDB60EF99C588BCEBBF4EB08314F24842AE408AB281C7B55845CBA1

Function 07483180 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a561716149f603bd53dd6111826d293edc1d8dbf5d854880f942b007369372
Instruction ID: ec384dc82cfb652021d7738a01ededc4d8cfcedc2b1a7895ffdef117b4038c66
Opcode Fuzzy Hash: 41a561716149f603bd53dd6111826d293edc1d8dbf5d854880f942b007369372
Instruction Fuzzy Hash: 79215875A007159BC320DF65C8809BBB7F9FFC8710B00852DE9199B320E770AD05C7A1

Function 07486FEB Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474ea2c304e59df3a332c655c91db4bd2761fd9e001662b9447b80b678854b99
Instruction ID: 095ed481ac9d01d742605b0d472a377c893371fef77e9e6d52ff8e635ebecb95
Opcode Fuzzy Hash: 474ea2c304e59df3a332c655c91db4bd2761fd9e001662b9447b80b678854b99
Instruction Fuzzy Hash: B621F6B1A001199FE794EF5AC444BEFBBF5FB88364F25812AE514CB391CB708904CB91

Function 074869D8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f874661a287d3b891996f9cf486d6ae106c27d77e66ac87f3e502b23482c31
Instruction ID: 051b76b6ac05b71de1e4f2f1e656612382d002f51c8934cd2637a70e1d53355e
Opcode Fuzzy Hash: f1f874661a287d3b891996f9cf486d6ae106c27d77e66ac87f3e502b23482c31
Instruction Fuzzy Hash: 1911C4B2E0030A9F9B91EF7998404FFBBBAEBC5650715852AE464D7341EF30D9058761

Function 07484D70 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd83eacf59695479f75fc8e2c82cb10565dd5baf337835fd1dd540e6481b7d4f
Instruction ID: cf7c07c1b534c6fde9f22225287f7d3a7d2048f64ccafb76a4f542db51b5d090
Opcode Fuzzy Hash: dd83eacf59695479f75fc8e2c82cb10565dd5baf337835fd1dd540e6481b7d4f
Instruction Fuzzy Hash: 772193B4A10A08DFD744DF5AE685999BBF1FF8C310B6280D5E5489B365DB31EE20EB04

Function 0748BC00 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31741a92ae4b05264a7d4fdad084f9ed6fd7ec79281cd5248dca649b55487217
Instruction ID: a5b421b87579c212047d90d325cf9112046efd4c15413124e60622fa4ca3bb08
Opcode Fuzzy Hash: 31741a92ae4b05264a7d4fdad084f9ed6fd7ec79281cd5248dca649b55487217
Instruction Fuzzy Hash: 9E2195F4D14209DFCB84DF99C181AEEBBF5EB4A300F60945AD819A7315D7709A41CF51

Function 0108D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1348631137.000000000108D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_108d000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: 9cc88669dddb413e2b48acaf05259e3e0f87ea6d2bc3f07d2d86aff096283b0e
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: 0011E176504240DFCB06DF48D5C0B56BFB2FB84324F24C2A9D8890B297C33AE45ACBA1

Function 0108D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1348631137.000000000108D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_108d000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: 92c7ad7aa2ab6c85779e2674afceffc2d3c112f0ef51da67623a2642ec882e81
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: 5111B176504280DFCB16DF54D5C4B16BFB2FB84324F24C6AAD8890B697C336D456CBA1

Function 074872E4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23f39a63f5a52a46ef3dd63028d482d3957da10f904ba1724a72f7492f0f86ee
Instruction ID: 32950416e1c664c90dbaa30d8ad9cf85a2efab57acaab63aed4909b894107f2a
Opcode Fuzzy Hash: 23f39a63f5a52a46ef3dd63028d482d3957da10f904ba1724a72f7492f0f86ee
Instruction Fuzzy Hash: 872106B5C0034D9FCB20DF9AC844ADEBBF8FB48310F50841AE919A7210C375A945CFA1

Function 0129D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1349039854.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_129d000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: 75c4af719fceafb765acf5431c7400cb386c997789168aa8a34cab3cde99df52
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: 8411BB75904284DFDB06CF58C6C0B15BBA2FB84324F24C6ADD9494B297C33AD40ACB61

Function 0129D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1349039854.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_129d000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: e629a68674127133de755b2fdbd0faff866ca3ebcfb832e395b6ba132d5ff9e0
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: A311BB75504284CFDB16CF68D5C4B15BBA2FB84324F24C6AED9494B696C33AD40ACBA2

Function 07488540 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a41aea8eb3fc609fb0963cd22c25d65af5866fb3cf10aa433391b0dd8f5bff
Instruction ID: 355033a55e72d6b164e27e2ef7206710405e737e5a6017484769960cc4b073d7
Opcode Fuzzy Hash: e7a41aea8eb3fc609fb0963cd22c25d65af5866fb3cf10aa433391b0dd8f5bff
Instruction Fuzzy Hash: 69F044F131031E5B87A2751E8C909EF6B5EDAD15A0799032FED09C3392DE10CC4282B6

Function 0748CBD8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f5da4babf7788e2ef6932bf81b70bbd333a31d7a4059d5bc700d33f3fd7585c
Instruction ID: 4eec8001d33b908d64b6a96b407085cc5f6f9827273160bdab68772d2bfe0f0b
Opcode Fuzzy Hash: 8f5da4babf7788e2ef6932bf81b70bbd333a31d7a4059d5bc700d33f3fd7585c
Instruction Fuzzy Hash: 4C1121B0D15218DFD748DF6AD4809EEBBBABF8A301F00D46AE40997310DB305941CB60

Function 0748BCB8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a83d5604c533c1119a598d91f733629e122f0165ca0a77ff29c1f45fb4a204e
Instruction ID: 8779f491072ee1f09bcfd52ef0dbd64e05a85d12ca871bcfd016f24310236bb7
Opcode Fuzzy Hash: 1a83d5604c533c1119a598d91f733629e122f0165ca0a77ff29c1f45fb4a204e
Instruction Fuzzy Hash: 6211D3B4D0820CEFCB44EF99C5409EEBBF9FB49310F54959A9459AB311D770AA42DB40

Function 074841CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b5167847931e73c46b5077a330e75fa03bb172c48123abe664108af8a32fc14
Instruction ID: d698a84435da02794b022c4e2c7d5108636e7e5858de6da6094e6d42ff231542
Opcode Fuzzy Hash: 9b5167847931e73c46b5077a330e75fa03bb172c48123abe664108af8a32fc14
Instruction Fuzzy Hash: FD01F5707083868FD781AA3DA8086AA7F97DBDA141F05457AE646C7792CE718C438781

Function 07488C61 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 137f8cc073d386d12593896f6f60cd63e2c94382a9474d9cc93c0fb6a646cde1
Instruction ID: 061bc04853617ea406ba479d8b2c517d58304f931c6e60a8359cb6229da4aa7c
Opcode Fuzzy Hash: 137f8cc073d386d12593896f6f60cd63e2c94382a9474d9cc93c0fb6a646cde1
Instruction Fuzzy Hash: D5012C70691709CFD354DF18C845FA937A5AF86710F5680A6E2058F676D732E841CB01

Function 07488C78 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 718d7acc173f680619b388dcae0ee32bd28183da58b5131a2091ebc7d1ed5d9a
Instruction ID: 5ed25a61a4dbd560b84960ba5cb324cce5950b6abde7e5e78910f3c904a0515c
Opcode Fuzzy Hash: 718d7acc173f680619b388dcae0ee32bd28183da58b5131a2091ebc7d1ed5d9a
Instruction Fuzzy Hash: D3019EB0755349CFE3559B29C805B5A3BA9AF8A300F9980E7E115CF3B6CB21DC01CB02

Function 0748C170 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b15246421618497b82654c865b39d9f247f818ee246811777718ae522c6e5d9
Instruction ID: 49126759180db7c018c187c3524d581d45275dd382aa09a7e38f9c1ce8ec047c
Opcode Fuzzy Hash: 8b15246421618497b82654c865b39d9f247f818ee246811777718ae522c6e5d9
Instruction Fuzzy Hash: C411E5B1D006589BEB18CFABC8447DEFAF7AFC9300F14C46A9409B6264DB7009468FA0

Function 0108D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1348631137.000000000108D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_108d000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7fdaef44f3a1f182d2823de2b2b6307947cc4b995d728c2c23de918d77cd089
Instruction ID: 86b91c60ccec3f63013be91f7191999229b311af0e338dbae5a253b818a92585
Opcode Fuzzy Hash: e7fdaef44f3a1f182d2823de2b2b6307947cc4b995d728c2c23de918d77cd089
Instruction Fuzzy Hash: 3801F73100C3809AE7607A55CC84B2AFFD8EF41231F18C66AEDC80A2C2D3389844CBB2

Function 074807C0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e7e340bb4998e3c62fa51707b30fd8d0410c8ceabd347652a8b34a497dd8db
Instruction ID: 2e272750b214b31d6b8ec893c0c87552fe4c8efc782a53780683e3f50738c6eb
Opcode Fuzzy Hash: 79e7e340bb4998e3c62fa51707b30fd8d0410c8ceabd347652a8b34a497dd8db
Instruction Fuzzy Hash: 29017C35A20718CBCB189A25D85949EBBBBFF88765B00852EE50683360DF71A915DB90

Function 07486F4C Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab010fd34365fa5634ebdd66aeddb3b5894924d8b08291186a4c31f65a5760a1
Instruction ID: cb4a4b0c6d08015348b4b61052e9e2a971b4f3d7a775081cdac212c896bda0aa
Opcode Fuzzy Hash: ab010fd34365fa5634ebdd66aeddb3b5894924d8b08291186a4c31f65a5760a1
Instruction Fuzzy Hash: EB016DB190021EDFDB91EF95C4047EEBBB0FF48364F118526E514AB291D7708A44CBD2

Function 074841E0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f831d7fd81aed940e07165726c815bbbb295b5ca73ea188cd25a6a8b413680be
Instruction ID: 00350fc56ba597c335849cd9b66b50ad67dacef32fb79139b15ff2de3d296fb5
Opcode Fuzzy Hash: f831d7fd81aed940e07165726c815bbbb295b5ca73ea188cd25a6a8b413680be
Instruction Fuzzy Hash: DA01A430714306CFC681AA3DE94969A7BDBEBD9292F05853AE60AC7355DF70DC438790

Function 0748D028 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f0ec9a0dd320b85891774cc4b79576ee30a6a001ff224a198b990b5d75ba918
Instruction ID: ee8ff8332b55d02b702d9cfb250d9634504a3c3c2d10bcf6c385e05cf727cf61
Opcode Fuzzy Hash: 2f0ec9a0dd320b85891774cc4b79576ee30a6a001ff224a198b990b5d75ba918
Instruction Fuzzy Hash: 9701EC74E1510CEFC744EBA4C585AADBBF9AB8E304F15C495D5499B352DB30DE02EB40

Function 0748CFB0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5418bd8d42645dd1f00e66ee048ada85130ba574e1de0bd12d4e79a6f2888804
Instruction ID: 97f1f38bad811bb3c6bcc6cef48d46263a5f2f2066c4dadf194715f2bcb567f6
Opcode Fuzzy Hash: 5418bd8d42645dd1f00e66ee048ada85130ba574e1de0bd12d4e79a6f2888804
Instruction Fuzzy Hash: 59F0ADB0A2C20CDBE744EB55C0A09FDBBBDAB4B300F0099D2E5095A291D7309A02DB70

Function 0108D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1348631137.000000000108D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_108d000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e0297c633315af891ea13cf34411dee68809b2a76b13e4bb4012bd56bf32b80
Instruction ID: a964dc42e025483b22b883b616902b167faf4a242b55c3b1738502529864e590
Opcode Fuzzy Hash: 9e0297c633315af891ea13cf34411dee68809b2a76b13e4bb4012bd56bf32b80
Instruction Fuzzy Hash: AEF0C8310083409EE7509A09CC84B66FFE8EF40635F18C55AED480B2C7C3755844CB71

Function 074807B3 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f67a9bd64479f14f823161e3a41dfe979c73a944af2199579fcbed88de8291e
Instruction ID: 5fbea05330ac9a408c80bcb2c429ac85b970e771d800bf48959d05ea920260c4
Opcode Fuzzy Hash: 5f67a9bd64479f14f823161e3a41dfe979c73a944af2199579fcbed88de8291e
Instruction Fuzzy Hash: 64F0E971A102195FDB58593588151EFBAEBDBC9750F04813BE411933A4DEB05D159580

Function 07486448 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fcfd663a0594558520f38e843e01cbca285219dec6fbcc74cc175c44dfe1c3d
Instruction ID: e02510aa224bdb6adb61960f4a1ec83e64b1d299d26b3daaaac9c2f0b419166c
Opcode Fuzzy Hash: 4fcfd663a0594558520f38e843e01cbca285219dec6fbcc74cc175c44dfe1c3d
Instruction Fuzzy Hash: F1F0E4717502185F8B546B7D942459F37EBDFC86513554477EA06C7315DD30CC028396

Function 07486F58 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d85b839644d87dcc68ff5b50822acdef80752ba2e746eb124cbd6c5a5af872
Instruction ID: 9ffef9c0ad51ca7ffcdefc0bb0c1bf9db34ffec1852ac426604bfb7b3f269130
Opcode Fuzzy Hash: 97d85b839644d87dcc68ff5b50822acdef80752ba2e746eb124cbd6c5a5af872
Instruction Fuzzy Hash: DE01ECB080021DDFDB55DF55C4047EEBAF5AF44364F21852AE524AA291D7748A40CBD1

Function 07481440 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5444b386b98dba308cd1ace65be0aa35bbdaa9e8a1302c34dbf99ce76e8b2a35
Instruction ID: 06f06216c2a914c75c786004cc11433708485d7fc3b805825be193fb88cd57f8
Opcode Fuzzy Hash: 5444b386b98dba308cd1ace65be0aa35bbdaa9e8a1302c34dbf99ce76e8b2a35
Instruction Fuzzy Hash: 25F027B179071D47C368CA2B980446FBBDFEBC5691709C83FE10AC7220EA30D9474690

Function 07488190 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b0af3ce90dc810b4147e56113dd673cb40e751b94059dde256a4ce236e48553
Instruction ID: 8ecbbebdfea59523fcb71c0088d9bba8e248443633767ed3f5333f0d625b6be6
Opcode Fuzzy Hash: 4b0af3ce90dc810b4147e56113dd673cb40e751b94059dde256a4ce236e48553
Instruction Fuzzy Hash: 22F0B471A0820CAFDF45DFA9DC508DE7FAEDF49214B1481ABE408D7222DA3099508754

Function 0748503C Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90ec6e9934c9ad786241fa950333c18b92a373689e58484f44e1114f265e93d
Instruction ID: 65af631c6d229d7ae98abde1b37f94c4dccdc162ce649ddb8b0be797c4923c5a
Opcode Fuzzy Hash: b90ec6e9934c9ad786241fa950333c18b92a373689e58484f44e1114f265e93d
Instruction Fuzzy Hash: 98F0C4B4E05298EFCF52CFA8D84198CFBB4AF09200F24055AE546A7352E7315912DF11

Function 0748AB49 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d409f4d013277319fd66231de215d8691add704b6d7a0f7e2e4304e0c7ab4f73
Instruction ID: dc8fe0fa23c82839abfd2cef3993942eae96f85fd50cb2ab350354b6a0e6fd91
Opcode Fuzzy Hash: d409f4d013277319fd66231de215d8691add704b6d7a0f7e2e4304e0c7ab4f73
Instruction Fuzzy Hash: 57F054F0A1E21DCFD790EA5589C05FC777A9B4B200F00E9A7910A97125DAB0194ACB01

Function 07484183 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ca9a4c4ac8a6ee93f7347280801891c148d69cf65e4ec8e920b435164d0a39
Instruction ID: 2b6be7aba9d0a3b53789c8056adaf85c20deac3460013d4a3c1db07408ce47a0
Opcode Fuzzy Hash: e0ca9a4c4ac8a6ee93f7347280801891c148d69cf65e4ec8e920b435164d0a39
Instruction Fuzzy Hash: 39E022717102154FC380ABAAD849A8E7BE5DB88A117648075F609CB394DE30DC028BA0

Function 074814C0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0052e0ee7df22b4aa061eb636d22c7ef5da59f3390bf9d9ccfd1c21de3b5237c
Instruction ID: 17a6279cd371b90673d45a0a92bfb25abf6ccb20c7fa6a45f0a3427fd31542c3
Opcode Fuzzy Hash: 0052e0ee7df22b4aa061eb636d22c7ef5da59f3390bf9d9ccfd1c21de3b5237c
Instruction Fuzzy Hash: 82E08631B00A1417D618676B9804A6BBBDEEFC9B20714C06DE45997744CD60AC0186D4

Function 07486EB4 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af45d93cf5d5096d6797e8c8c30c53f67f31c7b6cda9ac0b8ff7beb15d2b1c3f
Instruction ID: f3a7b6f62ccf4067f36e492a296c9c044f9726cfe5cf6b4dc85041b08845cbe3
Opcode Fuzzy Hash: af45d93cf5d5096d6797e8c8c30c53f67f31c7b6cda9ac0b8ff7beb15d2b1c3f
Instruction Fuzzy Hash: 7FE0DFF2C0812D9B8B61AAE988048EFFF38DB0A610F224553E50062201E2B30A16CBC1

Function 0748FD38 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 309f5f7671dda755dd1913c5e75fe53dfaeb606ded26f1afc950f103dfdced5a
Instruction ID: bb44c01b834021900296c19590e11428643050bff9e52dd6770ee5553c8da9ba
Opcode Fuzzy Hash: 309f5f7671dda755dd1913c5e75fe53dfaeb606ded26f1afc950f103dfdced5a
Instruction Fuzzy Hash: 05F03974D0020CEFCB54EFA8D40468DBBF5EB99310F00C0AAE959A7350EB345A55EF81

Function 0748ABDA Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d41007722694050aa50b026c773cbb093d11ac70e10d534cc88ca834a0077d8d
Instruction ID: 9edad0d67e6f928845e1da668a4104883c031f3761933a7360f28f0c07706fb8
Opcode Fuzzy Hash: d41007722694050aa50b026c773cbb093d11ac70e10d534cc88ca834a0077d8d
Instruction Fuzzy Hash: 45E0C9F0B5631DCFDB90EA54C9C05FCB77AAB46204F109D97921AA6225DAB01E898B02

Function 07484190 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 590e9c6e016ce3149bff6b41aaabefa5ffd32a25e6593411be48780936c46c61
Instruction ID: 8bec2d52691590ae728c98bd3642bdfed275bbffd667670f16c571f32c855eb6
Opcode Fuzzy Hash: 590e9c6e016ce3149bff6b41aaabefa5ffd32a25e6593411be48780936c46c61
Instruction Fuzzy Hash: EAE0CD357103144F8340EB7AD40594637F9EBCCE21320C065FA09C7355DE30DC018B90

Function 07486EC0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction ID: 2c591220c1e4ecfbf15739fc1e16e89931b3693d81d001d8ce281d14d5c89c18
Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction Fuzzy Hash: 3AD09EB2D0013D978B10AFE9DC054EFFF78EF05650F418126E915A7101D3715A21DBD1

Function 0748A8FA Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c3ab01728e7aa78bada01479a5197aff8520746f047bab3e2b47ccb3a9bedc
Instruction ID: 3555be26ad702f71f604a68c36aae054d76638d5357757274897bc57fe496c4a
Opcode Fuzzy Hash: d1c3ab01728e7aa78bada01479a5197aff8520746f047bab3e2b47ccb3a9bedc
Instruction Fuzzy Hash: 9DD05E710543889FD3855F60A81C2B53FB0EB03321F0A4196E4498E4B1C77A898CEB15

Function 074868D0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1690efc359ff2b8743e03f3b41e18a6ca190aa15dc420aa8dc1f6be6b9c3c662
Instruction ID: c2b4f08d739c84e79af54b4f50f5c98a31c1878e13150275fa0eeeed90b88103
Opcode Fuzzy Hash: 1690efc359ff2b8743e03f3b41e18a6ca190aa15dc420aa8dc1f6be6b9c3c662
Instruction Fuzzy Hash: D4D0127701E7C05EEB53A771840488AFF707A6396430A81DBD4A59F073955094299726

Function 0748A908 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d2ec576b05238a71e2738c5d3b94001b264c525ebb7a03561a8deacc93647d8
Instruction ID: 01651f4381cee2386ff01b6bf798e0d75c8e6347585ef053bad2cb0cf839f385
Opcode Fuzzy Hash: 9d2ec576b05238a71e2738c5d3b94001b264c525ebb7a03561a8deacc93647d8
Instruction Fuzzy Hash: 7CC08C710007088BD6142B94B80D3293BACAB03306F808161E10E894A08FA44844EA55

Function 07485470 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 907c96f2e6b5d6acd6241d298d21ac19a4fd58c882494cca3adeffdd51a894af
Instruction ID: 345b4d2c07964ea84ccb384c40ccc0c5091fdf6f5fa40d4b05bc0673f1517146
Opcode Fuzzy Hash: 907c96f2e6b5d6acd6241d298d21ac19a4fd58c882494cca3adeffdd51a894af
Instruction Fuzzy Hash: 42D0EAB4D28209CFCB44DF94D5556EDBBB5AB4A302F208516E41AA2244CB74AE539F40

Function 0748728C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e491e05b79b9fb181f3393ff16e546a714a219bedfaee80f3d50ee07be1e8454
Instruction ID: a6e242d297c7a8d789d7e61dff821e7d0db1cc2340f2881f24604bd429e13f1a
Opcode Fuzzy Hash: e491e05b79b9fb181f3393ff16e546a714a219bedfaee80f3d50ee07be1e8454
Instruction Fuzzy Hash: C8B092A51A4208A2909632A648D0AAE6810ABB2701B908C1B7705040808930442AA61B

Function 07480DA9 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779164a7b2dedd7522fafff441a29d74bcc2fe950ed818dd0a994c25ee1fdccf
Instruction ID: b1ff40f8fe7420cb6c6d7849d83ee2fe96c69704dd1ab3d609848d555c3d1fa6
Opcode Fuzzy Hash: 779164a7b2dedd7522fafff441a29d74bcc2fe950ed818dd0a994c25ee1fdccf
Instruction Fuzzy Hash: 1FC08C70220204CFCB05CB50C1084AE7BB2FF0820A7204418E40212620C731EC02CF00

Function 07482C34 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d308b2dc13525d62059b2b21f2cd8e28ee327a9d62f650d650082569fcd99a
Instruction ID: 49cdda43ac2dc4358cd21dc2e0f44b3f7c00b87c11b5e5c7d224b5533f08d942
Opcode Fuzzy Hash: 17d308b2dc13525d62059b2b21f2cd8e28ee327a9d62f650d650082569fcd99a
Instruction Fuzzy Hash: 17C09B34D30338CBC344E771D941C9C6796FA46600B004D3540155A0E6CB547D4B9541

Function 07484AD1 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d721aaa53471fa5f9c083b7f41220b53b6a6c46c542a097cec803d63907137fe
Instruction ID: e67bb179cbb8627e55727cc9a2e279f511959a4075b03128e1a3cb88952924f4
Opcode Fuzzy Hash: d721aaa53471fa5f9c083b7f41220b53b6a6c46c542a097cec803d63907137fe
Instruction Fuzzy Hash: 6FA0024795455133DB44295594913550790AB62644FE85050C41491245D41982455563

Non-executed Functions

Function 01608BE8 Relevance: 2.8, Strings: 2, Instructions: 298COMMON

Download Yara Rule

Strings

PHq, xrefs: 01608EAB
PHq, xrefs: 01608DD3

Memory Dump Source

Source File: 00000001.00000002.1349535372.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 8a47063f617a7144d8c7a20e4166f4c43028526fa7b90d320df2edca47c61a01
Instruction ID: b7487770c3c8e428a2f4f0633cafd0e029f0785d7d76592f5d551e939ad2aa26
Opcode Fuzzy Hash: 8a47063f617a7144d8c7a20e4166f4c43028526fa7b90d320df2edca47c61a01
Instruction Fuzzy Hash: 72D1C835B00604CFDB19DF69C998AAAB7F5BF4C701F2580A9E505AB3A1DB31AD41CF60

Function 074872F0 Relevance: 2.6, Strings: 2, Instructions: 136COMMON

Download Yara Rule

Strings

Hq, xrefs: 074882D1
T(z , xrefs: 07488877

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID: Hq$T(z
API String ID: 0-2798379001
Opcode ID: c0e48e745615c042be4cc9ed23d536636f14d284194ba79daa8489783741a873
Instruction ID: 544260c13cdd6897aa2c9d7bf146f2713d23bae0fd67a68da0fee0d3e08a5dee
Opcode Fuzzy Hash: c0e48e745615c042be4cc9ed23d536636f14d284194ba79daa8489783741a873
Instruction Fuzzy Hash: D3411A71F34209CBDB88EBB489516EF77BBFBC5600F94882BD501AB284CA308D468752

Function 0748877B Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

T(z , xrefs: 07488877

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID: T(z
API String ID: 0-3184255237
Opcode ID: 1b06c87f296f41af539b8588fced16e92ad1087dfeed2bf739a39c8987d2e970
Instruction ID: d11e84d4dbcc06eb2ff2c6dd56150419429e7384fcb63fa4868b2e4c9cdaab2e
Opcode Fuzzy Hash: 1b06c87f296f41af539b8588fced16e92ad1087dfeed2bf739a39c8987d2e970
Instruction Fuzzy Hash: 80413071F3420DCBDB98AAB58D516FFB6BBEBC9610F94882BD501BB384C9308D428751

Function 07488788 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

T(z , xrefs: 07488877

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID: T(z
API String ID: 0-3184255237
Opcode ID: 7019fcda9af302ccda83193bb74264d47b3abf98e3006f2238f27b70661bab18
Instruction ID: e273c47492371c967489ae48df794463b9d67e9dcb767e018ef143b32e74b300
Opcode Fuzzy Hash: 7019fcda9af302ccda83193bb74264d47b3abf98e3006f2238f27b70661bab18
Instruction Fuzzy Hash: CF311271F34209CBDB98AAB58D516EFB6BBEBC9610F94C82BD501BB344C9308D428751

Function 07482450 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

ax^, xrefs: 0748250E

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID: ax^
API String ID: 0-994873808
Opcode ID: 5b4ef1d85eef60db9026aa5a4b279e5c77ca6341ea4c66aa4b0987c6ed2a2427
Instruction ID: 5044207a8a2d72410954fc3ca0d66260a215364e342c9dcaff05119f382deb15
Opcode Fuzzy Hash: 5b4ef1d85eef60db9026aa5a4b279e5c77ca6341ea4c66aa4b0987c6ed2a2427
Instruction Fuzzy Hash: BD41D4B5F6420E8FCB80DF99C8959AEFBF5BB89600F198527D405EB351C274D902CBA1

Function 07482460 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

ax^, xrefs: 0748250E

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID: ax^
API String ID: 0-994873808
Opcode ID: 7e0f7698b5fc9d0a9186e712c88894d713cc032d3c06b078a3fb9a9a5bca8016
Instruction ID: 71a1aa29046134b30e62bd0a548a21e67151f7b0fa459623eb977f67a5a68b29
Opcode Fuzzy Hash: 7e0f7698b5fc9d0a9186e712c88894d713cc032d3c06b078a3fb9a9a5bca8016
Instruction Fuzzy Hash: 8B41A3B5F6420E9FCB80DF99C8819AEF7F5BB89600F198527D505EB350D2B4D9028BA1

Function 07488779 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

T(z , xrefs: 07488877

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID: T(z
API String ID: 0-3184255237
Opcode ID: 9e3e6ac388b8050ab96493895824f81177de323515b681fc676a1d38f93fb54d
Instruction ID: 11bd94e5dcad5f958d874da58b05f280568f0862cfc7a976ef615bd483cad158
Opcode Fuzzy Hash: 9e3e6ac388b8050ab96493895824f81177de323515b681fc676a1d38f93fb54d
Instruction Fuzzy Hash: DC310C75F35209CBDBD4AAB489516FF76BBEBC9600F94882BD542BB284CA308D428751

Function 074882B1 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

T(z , xrefs: 07488877

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID: T(z
API String ID: 0-3184255237
Opcode ID: 404c3a49ac78aeb01d2708a0cf9939952775d7232cd2c1c95a1b7425f9379a5c
Instruction ID: a2f1497babdb66cdc7648465563bb658678b63478556ca1e772bdcebc44d5fcf
Opcode Fuzzy Hash: 404c3a49ac78aeb01d2708a0cf9939952775d7232cd2c1c95a1b7425f9379a5c
Instruction Fuzzy Hash: C0310E71F35209CBDB94AAB449516FF76BBEBC9610F94882BD502BE284C930CD428751

Function 01607B48 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1349535372.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c4d2d29da4e4acf1c075cbe1c66bcbd391f577da5ea4efcbeaf8dc5429a58a8
Instruction ID: eea2608795ffdb900971ee95f3aa9a28d67e2eb7212ab9dfe2236ff56a4cf240
Opcode Fuzzy Hash: 2c4d2d29da4e4acf1c075cbe1c66bcbd391f577da5ea4efcbeaf8dc5429a58a8
Instruction Fuzzy Hash: 2FC1BC317012418FEB2ADB79C850B6BB7FAAF88604F14846DD286DB3D4DB35E902CB51

Function 01601710 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1349535372.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 610a16e815f91ce608968822806c42b2e1d53c0a81017cb5309ae23e09089678
Instruction ID: a2674015d21818c26f13ce70e50a383208d4e216a5fe68754faed0c532b69103
Opcode Fuzzy Hash: 610a16e815f91ce608968822806c42b2e1d53c0a81017cb5309ae23e09089678
Instruction Fuzzy Hash: CBE1C674E002198FDB15DFA9C980AAEBBF2FF89304F248169D554AB395D734AD42CF60

Function 0748F4C8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f14fcd31db98b02ecef865d05245ae69e2e2e94638eff314fb46976bf4a050f2
Instruction ID: 5592f9d0c2cfa3463d8109d481a6e8ae6f432556c3b0d34e29f2b550ee36fe37
Opcode Fuzzy Hash: f14fcd31db98b02ecef865d05245ae69e2e2e94638eff314fb46976bf4a050f2
Instruction Fuzzy Hash: C1E1D9B4E002198FDB54EFA9C580AAEBBB6FF89304F24815AD414AB355D734AD46CF60

Function 0748F090 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6831d0889424392f86959aee1a79d418b819d8ea472d0c8345a11a56b66170e
Instruction ID: 3efc4203c7a8dca24b06bad3ab6fb67d4e1533218d28337a2048ff08f50400d9
Opcode Fuzzy Hash: b6831d0889424392f86959aee1a79d418b819d8ea472d0c8345a11a56b66170e
Instruction Fuzzy Hash: B7E1D9B4E00219CFDB14EFA9C580AAEBBB6FF89304F24815AD414AB355D735AD46CF60

Function 0748EC58 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c34b92db4e4f26b2fd4816d09718aa2e6d3eca57c7e066b9b988e8a86b837c
Instruction ID: 35b3a4b54d50c0f0a503fb429b3d53b4219e951c159f2ae0b56ff092c1335995
Opcode Fuzzy Hash: 34c34b92db4e4f26b2fd4816d09718aa2e6d3eca57c7e066b9b988e8a86b837c
Instruction Fuzzy Hash: 93E1C7B4E00219CFDB14DFA9C580AAEBBB6FF89304F24816AD454AB355D735AD42CF60

Function 0748F900 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d98800141abf104cf61b40687b64ec300b57490b6710b73301c99b0e74e568ae
Instruction ID: 0588a9b3028d77f07d12586ed2ceb394ed35f8bcd9d60efea7a05df1b7b06f2a
Opcode Fuzzy Hash: d98800141abf104cf61b40687b64ec300b57490b6710b73301c99b0e74e568ae
Instruction Fuzzy Hash: 8FE1E9B4E002198FDB14EFA9C580AAEFBB6FF89304F24815AD415AB355D734AD46CF60

Function 07487967 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63ddb937a24ae085a6cd8225e52ddd30e9799a666ccedf299207e3efb3b188b
Instruction ID: 128559e2cf128f5e4b941d33bc9053460fc6f61695114e2e7f4a6a79118100ad
Opcode Fuzzy Hash: e63ddb937a24ae085a6cd8225e52ddd30e9799a666ccedf299207e3efb3b188b
Instruction Fuzzy Hash: 17D1E835C2075ACACB10EF65D990AD9F771FFA5200F50C79AE4497B210EB74AAC9CB81

Function 0136D364 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1349290994.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1360000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df06edd2722c517a48914229f128bff3c48a7f01383ed70f736d6d1d880f58c8
Instruction ID: e16b8b048fbaa1989273cbe3776c838a1c5aa3910bcf279c31ef6f3e68571a0c
Opcode Fuzzy Hash: df06edd2722c517a48914229f128bff3c48a7f01383ed70f736d6d1d880f58c8
Instruction Fuzzy Hash: D6A1B336E00209CFCF15DFB8D85459EBBBAFF85304B15C16AE902AB269DB31D915CB40

Function 07487978 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4aa96d5535a7919d7557f2635906623ac523de2d05ff2658c0d59bc725b845
Instruction ID: 81abd9cd8a1f248fbbfe6a4a4886aa49aa603c833d043e46492d728d7e620995
Opcode Fuzzy Hash: 0b4aa96d5535a7919d7557f2635906623ac523de2d05ff2658c0d59bc725b845
Instruction Fuzzy Hash: 5FD1D835C2075ACACB10EFA5D990AD9F771FFA5200F50C79AE4497B210EB746AC9CB81

Function 01601700 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1349535372.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1600000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b48ef79e9a671c13ebe8db1d9111191bc9ce35ffd7d2ff22294b3351c1a42bd2
Instruction ID: 77aace54dc5eda0b0383614efad2c290e2a2ac826a463f1d667c7f0510e38bfd
Opcode Fuzzy Hash: b48ef79e9a671c13ebe8db1d9111191bc9ce35ffd7d2ff22294b3351c1a42bd2
Instruction Fuzzy Hash: 31510A70E002198FDB19DFA9C9815AEBBF2FF8A314F248169D418AB355D7319E42CF61

Function 07481918 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b10387710ee7f93c67bfad07990c68cbbce97dc1655c70040542ad991fe4db5
Instruction ID: cda7d8b27c3475c755946902796c15d89f98e22f005278ea093fad9c4cbe226f
Opcode Fuzzy Hash: 2b10387710ee7f93c67bfad07990c68cbbce97dc1655c70040542ad991fe4db5
Instruction Fuzzy Hash: EC41C07171060DCFC750CA6DC885A9ABBF6EF86350F04882FE05ACBA64D234E942CF01

Function 07481913 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1353231932.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7480000_SOA-Al Daleel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdcb2dc065279de532788a1e482fe385b8a7e8d321bd2964ebb3c2cc1823e3ca
Instruction ID: ece6fb50fa33dee26d74223716f9cc2652113f0d34a411c6e69befba1dee7f06
Opcode Fuzzy Hash: bdcb2dc065279de532788a1e482fe385b8a7e8d321bd2964ebb3c2cc1823e3ca
Instruction Fuzzy Hash: 8241B17171060ACFC750DB6DC885A9ABBF6EB86350F44882FE05ACB660D234E942CF01

Analysis Process: MSBuild.exePID: 7912, Parent PID: 7508COMMON

Execution Graph

Execution Coverage:	11.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 014E9B38 Relevance: 3.1, Instructions: 3080COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32e0e4d9b5056eb968a9a5bbbb18fbaa9f66cd43560d65239fcf7b6a0e6b272f
Instruction ID: 2f9a8e55001da6f6c4816055b58627552359beb83dca9b0d21621b238ba5507b
Opcode Fuzzy Hash: 32e0e4d9b5056eb968a9a5bbbb18fbaa9f66cd43560d65239fcf7b6a0e6b272f
Instruction Fuzzy Hash: DD632C31C10B198ADB51EF68C8846ADF7B1FF99300F15C79AE45877221EB70AAD5CB81

Function 014ED025 Relevance: 2.1, Instructions: 2064COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2c8f707e3bf8e9dcaeb5b9c2537ded5999681256485eaeda6b79aeb4c04086
Instruction ID: 3209257a294facdc513e4b6b2c5ca59a5872d17ad3e35a80b0d9b04d018a5cb1
Opcode Fuzzy Hash: ca2c8f707e3bf8e9dcaeb5b9c2537ded5999681256485eaeda6b79aeb4c04086
Instruction Fuzzy Hash: BE23FC31D10B198ADB11EF68C8846ADF7B1FF99300F55C79AE458B7221EB70AAC5CB41

Function 014E9378 Relevance: .6, Instructions: 619COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b31b65b94e54a4c4d092f35576302ce6d2479713f75d1a0135769f22cd309f2
Instruction ID: 4d434194711675be76f9862d5f79cf899ecbc503768e193c26da755489ed9f73
Opcode Fuzzy Hash: 9b31b65b94e54a4c4d092f35576302ce6d2479713f75d1a0135769f22cd309f2
Instruction Fuzzy Hash: B0328C74A002058FDB14DF68D584BAEBBF2FF88315F24856AE909EB3A5DA34DC45CB50

Function 014E4A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476d5f6471f9416cca388f39608fe3375022e1f7d13fc4138bceb563f7032901
Instruction ID: 2182e6248b2d9468c017be16914fe753b14a2bfb99900da95656432210c1481a
Opcode Fuzzy Hash: 476d5f6471f9416cca388f39608fe3375022e1f7d13fc4138bceb563f7032901
Instruction Fuzzy Hash: 60B13270E002098FDF14CFA9D9897DEBBF2AF48315F18852AD415E73A4EB759846CB81

Function 014E3E80 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b547fa2ea8758e89571e4fe0a383605e1c10de1d01f426b51ec380ccc1bc989
Instruction ID: 56a762819f574dcfaace9cd77a30bae7bb04b989c7fe47c50528636dde8e701d
Opcode Fuzzy Hash: 8b547fa2ea8758e89571e4fe0a383605e1c10de1d01f426b51ec380ccc1bc989
Instruction Fuzzy Hash: E4916E70E002098FDF15CFA9C9997AEBBF2BF48315F18812AE414E7364DB749845CB81

Function 014E6ED8 Relevance: 2.6, Strings: 2, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LRq, xrefs: 014E6F0E
LRq, xrefs: 014E6FE9

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: LRq$LRq
API String ID: 0-3710822783
Opcode ID: 1c87eaa27d5e0289bfe68607d0c80075e232770214339b2aca4e13ff96dc5777
Instruction ID: 067d06d65faf01110de81def8c42e86f1b7083e90a8eda4b429f1cd9330b161a
Opcode Fuzzy Hash: 1c87eaa27d5e0289bfe68607d0c80075e232770214339b2aca4e13ff96dc5777
Instruction Fuzzy Hash: F1519E70E002159FDB15DB69C4146AEBBF2FF8A311F10856BE405EB261DB719C46CB80

Function 063AD56C Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(00000010), ref: 063AE2C7

Memory Dump Source

Source File: 0000000A.00000002.1370748288.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_63a0000_MSBuild.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 83f6f22ccd5a69e110d7ec60b0bc40d748dcaa0514a6fc44bf75999acbb2d853
Instruction ID: cbbd9f4d653618cd1e2a351efc2338ee87c3298ce33a9793017436c871b7c6f7
Opcode Fuzzy Hash: 83f6f22ccd5a69e110d7ec60b0bc40d748dcaa0514a6fc44bf75999acbb2d853
Instruction Fuzzy Hash: 381103B1C0065A9BDB20DF9AC445BDEFBF4EB48320F10862AD918A7240D778A945CFE5

Function 063AE259 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(00000010), ref: 063AE2C7

Memory Dump Source

Source File: 0000000A.00000002.1370748288.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_63a0000_MSBuild.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 8d10103feecc49b38f2a90b204b5f4aba029059624b1d565782edce698b0a6d6
Instruction ID: 681f5b7e6a95c39493c5092abc37a30ddded45e9b057cb86ec2f557a28e8ecbd
Opcode Fuzzy Hash: 8d10103feecc49b38f2a90b204b5f4aba029059624b1d565782edce698b0a6d6
Instruction Fuzzy Hash: D01114B1C0065A9BDB10DF9AC944BDEFBF4AF48310F15812AD818B7240D378A945CFA1

Function 014EF2ED Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

PHq, xrefs: 014EF43B

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: 3a487201a6717aaac5049eb0997eb00640505db846fb662779072621da7dc123
Instruction ID: c97013b0717acc14f983f9a9b004a0fe8d3555d4de0b101d457804fc61f06940
Opcode Fuzzy Hash: 3a487201a6717aaac5049eb0997eb00640505db846fb662779072621da7dc123
Instruction Fuzzy Hash: 6631FE70B002058FDB29AF39D15866F7BE2AF89611B24447ED402DB3A9DF39DC0AC791

Function 014EF300 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHq, xrefs: 014EF43B

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: 7686ab9befd6af702e6033364205504a31cc22441a47dfb363f900f8cf03af8f
Instruction ID: 574d69d98c4c7b7eda92ad40463423954a1aec03f951c2b1a4e54c11b5e148f9
Opcode Fuzzy Hash: 7686ab9befd6af702e6033364205504a31cc22441a47dfb363f900f8cf03af8f
Instruction Fuzzy Hash: 1F31BC70B002058FDB29AF39D45866F7BE2AF89601B24447AD406DB3A9DE35DC4AC791

Function 014E6F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LRq, xrefs: 014E6FE9

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: c83511b3f89afbb99d9755c7ea5d03580d490f576fac83939edcaa8e75e7ea03
Instruction ID: f332549554dfdec90a1bd93ec0c5521d6e0efbbf7d8eeadb563d298cbcbb0281
Opcode Fuzzy Hash: c83511b3f89afbb99d9755c7ea5d03580d490f576fac83939edcaa8e75e7ea03
Instruction Fuzzy Hash: 88315C74E002099BDB15CF69D45479EBBF2FF85362F10852BE816EB360EB719946CB80

Function 014E6B8F Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

LRq, xrefs: 014E6BD7

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 384771f942288edf45f9a158cd862984e2eec1072bd70fc0f84a843d6bd67b48
Instruction ID: fa3f4a885bb8b0e5c30517d7d65f281dfbdf8d5123f0ad0e3ef34ae8e8f01f97
Opcode Fuzzy Hash: 384771f942288edf45f9a158cd862984e2eec1072bd70fc0f84a843d6bd67b48
Instruction Fuzzy Hash: 5A2121306083955FC302AB399424BAE3FF6EF8A610B0544EFD045CB2AAEE369C45C791

Function 014E790B Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c8218dd26c0352cd4fcadb5701a654ec55a66129463d36a35e49b3c851785a5
Instruction ID: 9170da2e8b31ed2659f2b34e46c2c06601a8b4479a76bfbb9acb750d37093c05
Opcode Fuzzy Hash: 9c8218dd26c0352cd4fcadb5701a654ec55a66129463d36a35e49b3c851785a5
Instruction Fuzzy Hash: 96125C30B052169BDB26AB7CE46862D32A3FB86652B10492AD005CF379CF75EC4BD7C1

Function 014E4A8D Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9bcc5e9d8398407c83917925e579af3cf32584a39cef6c5e93fd335e86a588c
Instruction ID: fcb6a40911f0a5a87e01f90063254f079f50699e50d367c4ac4692a97c8d1886
Opcode Fuzzy Hash: b9bcc5e9d8398407c83917925e579af3cf32584a39cef6c5e93fd335e86a588c
Instruction Fuzzy Hash: 90B14270E002098FDF20CFA9D9897DEBBF1AF48315F18852AD815E7364EB759846CB91

Function 014E9364 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e112d10a5e53edc99940b7bb0e349828ce49c5d9e88dde721dadb0911f1a6bd3
Instruction ID: ba55988ca28e1ffed05433ae9b697ba0a345a9856d057c3a5eeafa6f6e7d5feb
Opcode Fuzzy Hash: e112d10a5e53edc99940b7bb0e349828ce49c5d9e88dde721dadb0911f1a6bd3
Instruction Fuzzy Hash: B6918F34A002149FDB15DF68D588AADBBF2FF88315F14856AE906E73A5DB34DC46CB40

Function 014E3E75 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 859807fadc755cb73b8495cbd0b7a5d5cbc5107317ac65b0e336fa8a0bce0239
Instruction ID: 0ce1af4bfebd00c81bb3da1bff5998ecdff133afea3339a343f967db5f2e4b40
Opcode Fuzzy Hash: 859807fadc755cb73b8495cbd0b7a5d5cbc5107317ac65b0e336fa8a0bce0239
Instruction Fuzzy Hash: 35914B70E002498FDF21CFA9D98979EBBF2BF58315F18812AE414E7364DB749846CB91

Function 014E2844 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab8c7c0ea227051a5866a13e244c1a5f902b76673bcb2895ef6f16d0951dcb76
Instruction ID: cfd14ea0e7397727c973b448f9cffafec420e9f52dbd1ee4dc45cb627bbb687d
Opcode Fuzzy Hash: ab8c7c0ea227051a5866a13e244c1a5f902b76673bcb2895ef6f16d0951dcb76
Instruction Fuzzy Hash: 8F715570D003499FEB25DFA9C488BDEBFF5BF08314F14812AE455AB260DBB59846CB90

Function 014E6CDD Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e1dc62c86eb761c8dc4af476f6e25477ce59641fa2ed88d044fad08d8c980fb
Instruction ID: 12c4a6cb030b6e7d9b8648cec2b4b2b71dad9efc7c02b94fcba076c28c54fde6
Opcode Fuzzy Hash: 8e1dc62c86eb761c8dc4af476f6e25477ce59641fa2ed88d044fad08d8c980fb
Instruction Fuzzy Hash: EB512470D102188FDB18CFA9C889BDEBBF1BF58311F15812AD819AB3A1D7759845CF94

Function 014E6CE8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e09f2d303425ef21c21d6a7c2f42dcaf38be856e3aee8dd8b7b4fe9abf1e4ccd
Instruction ID: 140cea1c8b063fe2a07f89aa179df44b2922b651b68c2840519a4a4bf0028474
Opcode Fuzzy Hash: e09f2d303425ef21c21d6a7c2f42dcaf38be856e3aee8dd8b7b4fe9abf1e4ccd
Instruction Fuzzy Hash: 04512470D002188FDB18CFA9C849B9EBBF1BF58311F55811AE819BB3A1D775A841CF95

Function 014E1138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12344d9c258305a5df0c8862d77f7770f7f11db763c7ca5799791c681cec982b
Instruction ID: b0747b2050e5022bd554734bbe918f8f8dbf67f96894269ad1124bc78c3b2ebc
Opcode Fuzzy Hash: 12344d9c258305a5df0c8862d77f7770f7f11db763c7ca5799791c681cec982b
Instruction Fuzzy Hash: DE51CB3550325E9FD726FB38F9A8A483F63B7513053188979D1008B67EDA70692BCBD2

Function 014EF1B0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a94e1f5049651d70fa9278979be31e2bd3ad78e26d39d0b9f637fb35a9583c4e
Instruction ID: 0a195f760db16fcfd48818b46b9e22bbc8fad1636a96679347d4f7c50a369975
Opcode Fuzzy Hash: a94e1f5049651d70fa9278979be31e2bd3ad78e26d39d0b9f637fb35a9583c4e
Instruction Fuzzy Hash: 2C416F34A1061A9BDB19CF69D49869EBBF2BF89301F10C55AE805EB355DF31EC46CB40

Function 014E9150 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a62386991f42995e6e9c2d292e146a214e9e1de39938ba0baa3f6974e4725f
Instruction ID: f857d009606a6082586985f33126f27f05c6efc76f09e15ac4cef6ee7db9226d
Opcode Fuzzy Hash: e4a62386991f42995e6e9c2d292e146a214e9e1de39938ba0baa3f6974e4725f
Instruction Fuzzy Hash: DB318331E002159BDB19CF69D45869EFBF2EF89314F10852AE815EB391DB71DC42C750

Function 014E26DC Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d9bc586e05db2a693741cd50c6e974bb1ee1a113e431f4da357868c480e5026
Instruction ID: 491eed96c304051260193d1ad8afd423f730db56251872504db6a36bb86e2102
Opcode Fuzzy Hash: 4d9bc586e05db2a693741cd50c6e974bb1ee1a113e431f4da357868c480e5026
Instruction Fuzzy Hash: 0C41D1B0D003499FEB14DFA9C584ADEBBF5FF48310F14852AE419AB260DB759946CB90

Function 014EF1C0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa06590a9262addd28d2b4e7b037002f27bca34349805f56d26652b317e16f32
Instruction ID: e101255ea4d1cc7e92cda4f0a3e20677c3bd753f738962d6ffcb055b5ebab6d5
Opcode Fuzzy Hash: fa06590a9262addd28d2b4e7b037002f27bca34349805f56d26652b317e16f32
Instruction Fuzzy Hash: C9314134E106199BCB19CFA9D49469EB7F2BF89300F10851AE815EB354DF71AC46CB40

Function 014E26E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424ce42ceb0666d6729eef77cab9d98cbe02f2e73e7e4bfbe70e259b6a14ac51
Instruction ID: 9e0592c5fea547d2f65a173110c74601ebbbc2c34590beb4718a1b56d4ec3f5e
Opcode Fuzzy Hash: 424ce42ceb0666d6729eef77cab9d98cbe02f2e73e7e4bfbe70e259b6a14ac51
Instruction Fuzzy Hash: 8E41D1B0D0034D9FEB14DFA9C484ADEBBF5FF48310F14812AE819AB250DB759946CB90

Function 014E137F Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6f1ccd58c752719f72f825054db4162964e5d63abe94349c0d241ddf32f2b8c
Instruction ID: 15818957fbbc6065452651de66bd62e9c3ed963c90cbde227538f91ed127a064
Opcode Fuzzy Hash: c6f1ccd58c752719f72f825054db4162964e5d63abe94349c0d241ddf32f2b8c
Instruction Fuzzy Hash: 8831F634A412018FEB32673CE49C76E3BE5EB4671AF14087BD516CB37AD634884AC792

Function 014E924F Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ecc8628cfdf945652e4e8f2233ff91eec99503b2626ebfb5d845db7733bacb3
Instruction ID: 8fe4ed54fcc066b79feee31b139e96f258d6c72cb3d37fc2f8b1a6e687c24278
Opcode Fuzzy Hash: 9ecc8628cfdf945652e4e8f2233ff91eec99503b2626ebfb5d845db7733bacb3
Instruction Fuzzy Hash: EF317F31E0021A9BDF09CFA8D59469EBBB2FF89304F14851AE805EB395DB719846CB90

Function 014E16A3 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ade348e4d0ac8970cc7a8341f3b38b63f33de7da2b21d88a5ffb6df147c7e77
Instruction ID: 8648df809ace675d1db6f892ed2fc5f829050fb2df0eb6a4abeeb983d7473856
Opcode Fuzzy Hash: 5ade348e4d0ac8970cc7a8341f3b38b63f33de7da2b21d88a5ffb6df147c7e77
Instruction Fuzzy Hash: 1E21A6389412154FDB22EB3CE45CB6A3BA6EB41716F140667D106CB27ED730D8568BD2

Function 014E9260 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a5284a0b3e809f4b315b7e73ebcec28722979c942a7cc3f64edace276ddfb8
Instruction ID: f6dab8d3f43fd2ec8fb5b64d6f5c7b5610a318bb447d9ac7081d2c389e97b78f
Opcode Fuzzy Hash: 91a5284a0b3e809f4b315b7e73ebcec28722979c942a7cc3f64edace276ddfb8
Instruction Fuzzy Hash: 21217330E0021A9BDF09CFA9D49469EFBB2FF89304F14C51AE805EB395DB719842CB90

Function 014E17C0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 595e0ad883b48a3b421bbc6147d81982016ec8e8509475e443272e50027b1aa0
Instruction ID: e885877a6dc6d800d1c9f830c8e9cfc04f8fffe91e7b2bdcd6e73cf57316d1c7
Opcode Fuzzy Hash: 595e0ad883b48a3b421bbc6147d81982016ec8e8509475e443272e50027b1aa0
Instruction Fuzzy Hash: AC21B171B403159FDB21AB7DA80C6AB7BE5FB89B12B110976D506CB319EA30C851C7C0

Function 014E1878 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a038c950deaae7b8bf02d0ff05cb015a5976447ef49e848e67da8fe84b351ccc
Instruction ID: 4f9693a0a9945d7c4907af91e5d9ca68b01c790678ecd0dd571ae93094a0ad2f
Opcode Fuzzy Hash: a038c950deaae7b8bf02d0ff05cb015a5976447ef49e848e67da8fe84b351ccc
Instruction Fuzzy Hash: 6B214C70B40205CFEB65EB78C5587AE7BF2AF49606F10046ED106EB3A1EB369D41CB61

Function 014E4F89 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9cf341d8f2c29024099d0d9342723535f93467b184ae18df34449bd7fa32124
Instruction ID: 3eb1b0e6f43506e1ea20dd9b78e03bb3755c97e307706c5495abe8bb3b9873f1
Opcode Fuzzy Hash: a9cf341d8f2c29024099d0d9342723535f93467b184ae18df34449bd7fa32124
Instruction Fuzzy Hash: 49214874740204CFCB64EF78D56CAAE7BF2EF49205B1104AAE406EB365DB769C01CBA0

Function 014E9A30 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1638509c7e095131d4abc9151d883f189b6ccc1aa1adc0f603fcbd9588b3e1b9
Instruction ID: 9e6fc4248af1352144d1231cfb615886483668063792ae2d74daaada9d8dd7cf
Opcode Fuzzy Hash: 1638509c7e095131d4abc9151d883f189b6ccc1aa1adc0f603fcbd9588b3e1b9
Instruction Fuzzy Hash: B6218E31B102458FEB14DB69C958BAE7BF6BF88715F24806AE505EB3A0DAB1DC40C790

Function 014E9160 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab97149a1fc9359c3d40eec9899fea95c20cebeec4f58941adf2c8534838e94
Instruction ID: 4e488141c54e34b463cb2a3fbbf6b5de507643570350ba4a42f5f491edc8e1ed
Opcode Fuzzy Hash: 3ab97149a1fc9359c3d40eec9899fea95c20cebeec4f58941adf2c8534838e94
Instruction Fuzzy Hash: DA215330E002199BDF19CFA9D458A9EFBF2AF89304F10891AE815BB390EB70DD41CB50

Function 014E1888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50924a577e34c9b3affc2a891ac3506266815ca540d365a6e60ed177bab0256
Instruction ID: cf2e65d618d956e850b6e9c3a35dcc9fd1ecafca915348b3d6b2bd2032b4659f
Opcode Fuzzy Hash: f50924a577e34c9b3affc2a891ac3506266815ca540d365a6e60ed177bab0256
Instruction Fuzzy Hash: 1A213D30B40209CFDB64EB78C5587AE7BF2AF49606F20046AD506EB361DF369D41CBA1

Function 014E16B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1085a54b2225f6163d829291f3dab7e1be874a2c91d8d8f7e623502243520ea7
Instruction ID: 176a84350d2b29e57d9e20f28ac889731debbaee66dbc076c139bd5be86e366f
Opcode Fuzzy Hash: 1085a54b2225f6163d829291f3dab7e1be874a2c91d8d8f7e623502243520ea7
Instruction Fuzzy Hash: 8F2162386412054FDB22EB3CE89CB1E3796E741716F104622D106CB36EDA30E8558BD2

Function 014E1488 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 109e839da169d7c5036f8e9cdb839ae347773073576bef5ca1b91afb16f90d37
Instruction ID: a3e655b4e160c761f6318dcd69f3cd96302cd4324cc17b9a9109326b2a0e8bcf
Opcode Fuzzy Hash: 109e839da169d7c5036f8e9cdb839ae347773073576bef5ca1b91afb16f90d37
Instruction Fuzzy Hash: 6811B131B403169BCF22EFB884581AE7BF5EF59622B14447BD805D7311E676D8428B90

Function 014E4F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e5706371dbda28116dc0cf3dfff43a5d961f69a942fe482c817f7ac3770fe5d
Instruction ID: c5fcb17df763b40aab36b83d1cd893ac89f7fd4eeb60ec0a7aa0c42433ba73bc
Opcode Fuzzy Hash: 5e5706371dbda28116dc0cf3dfff43a5d961f69a942fe482c817f7ac3770fe5d
Instruction Fuzzy Hash: AE212874700205CFCB64EB78D56CAAE7BF2AF89605B11046AE506EB3A5DB369D01CB90

Function 014E0838 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 289b6a664ed40d5e9ce855aba14db83f5cf49538238d52eaadb6a7f5def56ec5
Instruction ID: fcefce0deb0a548b8d7ea05c7a8729ae5b04befbc27e8edc27d87d59464dfbcd
Opcode Fuzzy Hash: 289b6a664ed40d5e9ce855aba14db83f5cf49538238d52eaadb6a7f5def56ec5
Instruction Fuzzy Hash: C811C434B012059BEF265A7CD45836A37E1FB86216F10497BE066CF366DAB5CC468BC2

Function 014E0848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f1bf5494bab470adbed02100c7d116ea3a504c0e3109910399c2d39e7290ce
Instruction ID: 17edf619523efc4ec64f01c2693ef769523fe0c061a6eb20b8b62bc1c8064320
Opcode Fuzzy Hash: f6f1bf5494bab470adbed02100c7d116ea3a504c0e3109910399c2d39e7290ce
Instruction Fuzzy Hash: 3C11E734B002099BEF256A7DD45C72A32D5FB85216F10493BE026CF366DAB1DC868BC1

Function 014E1498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 016677ce6aa609be722dc02e710dab0fac6382f3b6c752b54fabc65c914927b6
Instruction ID: baa415b1f0703dcfff4e30a780a805552c6c70fed875627c11e67e6dbb616233
Opcode Fuzzy Hash: 016677ce6aa609be722dc02e710dab0fac6382f3b6c752b54fabc65c914927b6
Instruction Fuzzy Hash: 5F018C31F012268BCF21EFBD88585AEBBF5EB58612B24057BD805E7311E775E8428B91

Function 014E9898 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb893d85856f39787db777819b3f8af1d22fdc6cdcee8e5983a58073c77bdca
Instruction ID: 9534fb10b7fdcbfe4e438ef3e9091a14e1daac5b823bc455b1aa2d025c31a1f8
Opcode Fuzzy Hash: 5cb893d85856f39787db777819b3f8af1d22fdc6cdcee8e5983a58073c77bdca
Instruction Fuzzy Hash: 0E01B530A002048BDB14EF55E88478EBBA5FF94311F54C265C8085F39AEB70E906C7A1

Function 014E80F1 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cce7bce6194a8832951f711f82b760db4e1dc46683141c8f8c7889e7720a6e4
Instruction ID: d2f92263b56c77cdc86e0692a868cac128930dad57000deb9bcbb703e8347a0f
Opcode Fuzzy Hash: 5cce7bce6194a8832951f711f82b760db4e1dc46683141c8f8c7889e7720a6e4
Instruction Fuzzy Hash: B0018F789112199FDF05EFB5E95479D7BB2AB41200F2086AAC104AB15DEA31AE1ACB42

Function 014E7090 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7555ae6f314b5e043e87262d904717154e31715832ab11779f1973dd48f2c65f
Instruction ID: 0a365ec58cc77efd963d51fb3aab261b7221cb83d9fe61e1440cf34f2608b328
Opcode Fuzzy Hash: 7555ae6f314b5e043e87262d904717154e31715832ab11779f1973dd48f2c65f
Instruction Fuzzy Hash: 3FF0C935B402089FC714DB78D568B6D77B2FF88316F514469E506DB3A8DB31AD46CB80

Function 014E8100 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1365853839.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd9fcc0c62b18390082d9e252894acc94eda128b9d404f49598e42b7bd34ee17
Instruction ID: e9272a9b7c3e2cf0af51778631c445ace5371983ea6829e9fd9510f50f82c522
Opcode Fuzzy Hash: dd9fcc0c62b18390082d9e252894acc94eda128b9d404f49598e42b7bd34ee17
Instruction Fuzzy Hash: 5DF0317891121D9FDF05FFB5F954A9DBBB2AB44300F5086A9C104AB25CEA317E16CB82

Analysis Process: eeXxnIpy.exePID: 8016, Parent PID: 932COMMON

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	289
Total number of Limit Nodes:	9

Executed Functions

Function 05462289 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 054624C6

Memory Dump Source

Source File: 0000000B.00000002.1399637151.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5460000_eeXxnIpy.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6c43bd4d46e14b0edd930ad8b3a4941f3c078f0f2cb3bba91dd29968d77d87b4
Instruction ID: 47054561cff5f0738b73a31dc5def546a9d52c44557e28bf221228664cec44ba
Opcode Fuzzy Hash: 6c43bd4d46e14b0edd930ad8b3a4941f3c078f0f2cb3bba91dd29968d77d87b4
Instruction Fuzzy Hash: 7B916E75D043199FDB24DF68C845BEEBBB2BF44310F1485AAD809A7240DBB49985CF92

Function 05462290 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 054624C6

Memory Dump Source

Source File: 0000000B.00000002.1399637151.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5460000_eeXxnIpy.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4d1fba2ce2cff709975e73d9ea8ef9d6ca4f32329dda9c8a028e47b0143da2d8
Instruction ID: b98dc096c6a682da879ba7414cdc98dfe561f69648ca01e1de9ecad47bc9b767
Opcode Fuzzy Hash: 4d1fba2ce2cff709975e73d9ea8ef9d6ca4f32329dda9c8a028e47b0143da2d8
Instruction Fuzzy Hash: 23916E75D04319DFDB24DF68C845BEEBBB2BF48310F1485AAD809A7240DBB49985CF92

Function 058E18E5 Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 058E1A02

Memory Dump Source

Source File: 0000000B.00000002.1399856542.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58e0000_eeXxnIpy.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a9d1ed37888c12c4f94247d171b24febead93171cccf8ad676452b5ddbd66312
Instruction ID: 13ac85dce85db8fe05dbaf246dcd6c66d7c9bd4efb5a5a999f9517de571ca6ee
Opcode Fuzzy Hash: a9d1ed37888c12c4f94247d171b24febead93171cccf8ad676452b5ddbd66312
Instruction Fuzzy Hash: 5E51C0B1D00349DFDB14CFA9C885ADEFBB6BF49310F24812AE819AB210D7759945CF90

Function 058E18F0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 058E1A02

Memory Dump Source

Source File: 0000000B.00000002.1399856542.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58e0000_eeXxnIpy.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7b3a97b05ec25bd013e5e298c484b09e81592d155a40cb9964f1c0af002f4b77
Instruction ID: a486ddc40dc3cdce58c8c034d097dcd9ec4f0ef1ca361e7236cc35a79021f106
Opcode Fuzzy Hash: 7b3a97b05ec25bd013e5e298c484b09e81592d155a40cb9964f1c0af002f4b77
Instruction Fuzzy Hash: 2E41B0B1D00349DFDB14CF99C884ADEFBB6BF49310F64812AE819AB210D775A985CF90

Function 058E4050 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 058E4111

Memory Dump Source

Source File: 0000000B.00000002.1399856542.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58e0000_eeXxnIpy.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: fa78658d005cc8120f926ba59f71808741706c2e28ff3ded2e028f5edfab4da4
Instruction ID: f0df4fadfd9c9c3a07900561b0515856e6a64c0a31ad447de80bae71e9449a69
Opcode Fuzzy Hash: fa78658d005cc8120f926ba59f71808741706c2e28ff3ded2e028f5edfab4da4
Instruction Fuzzy Hash: 38414BB8900309CFCB14DF99C848AAABBF6FF89314F25C458D519A7321D375A841CFA0

Function 05461C01 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05461C98

Memory Dump Source

Source File: 0000000B.00000002.1399637151.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5460000_eeXxnIpy.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 91c9913788c61dee7481232d18caf079c693b6e7e2172b840cc0cef210cd14aa
Instruction ID: 12648c159959e314e96fc373944e7165d2bf031866f748350d53d45b0677640b
Opcode Fuzzy Hash: 91c9913788c61dee7481232d18caf079c693b6e7e2172b840cc0cef210cd14aa
Instruction Fuzzy Hash: 89214875D003499FDB10DFAAC885BEEBBF5FF48310F50842AE919A7240C7789941CBA5

Function 05461C08 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05461C98

Memory Dump Source

Source File: 0000000B.00000002.1399637151.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5460000_eeXxnIpy.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6eae2789eee3fa017cf9350a1685f53c0a1eeaeb5fc64f0427ec18a02915c2cd
Instruction ID: a10f14bbf5146c8bf9839be9e1fefddee513cc041050f83bb6b95965aa652675
Opcode Fuzzy Hash: 6eae2789eee3fa017cf9350a1685f53c0a1eeaeb5fc64f0427ec18a02915c2cd
Instruction Fuzzy Hash: B02125B5D003499FDB10DFAAC885BEEBBF5FF48310F50842AE919A7240C7789941CBA5

Function 05461CF0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05461D78

Memory Dump Source

Source File: 0000000B.00000002.1399637151.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5460000_eeXxnIpy.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: cd27dc114c8854e39f923a5787cf529e6b5ee69155c61b1c2dbfab2d6aaae29a
Instruction ID: 8e2c96bf2183dd130a6b860172c5b62b66d2b72b75f6cda6aaf1a30364a046de
Opcode Fuzzy Hash: cd27dc114c8854e39f923a5787cf529e6b5ee69155c61b1c2dbfab2d6aaae29a
Instruction Fuzzy Hash: 1A212571C003499FDB10DFAAC881BEEBBF5FF48310F54842AE919A3250C739A901CBA5

Function 05461630 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 054616B6

Memory Dump Source

Source File: 0000000B.00000002.1399637151.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5460000_eeXxnIpy.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4bd36cfbfee12725f3c4a9494b87c923f652adb51dc8472f3315da615aa6cb17
Instruction ID: 22c465234421bd03f7d5c82500dab859474f2d51d2dc955b563515126b9548da
Opcode Fuzzy Hash: 4bd36cfbfee12725f3c4a9494b87c923f652adb51dc8472f3315da615aa6cb17
Instruction Fuzzy Hash: 492187B5C003098FDB10DFA9C4857EEBBF5AF48210F14842AD459A7241CB789941CFA1

Function 05461CF8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05461D78

Memory Dump Source

Source File: 0000000B.00000002.1399637151.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5460000_eeXxnIpy.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 735722071bf67560d072c8c7a0dfa9ec20d188ad16fb8aaea06b72091b32106c
Instruction ID: ff8ee41ee633ee59739891a8977b0875fd71c9f74652eef1587f98dc28cbcf14
Opcode Fuzzy Hash: 735722071bf67560d072c8c7a0dfa9ec20d188ad16fb8aaea06b72091b32106c
Instruction Fuzzy Hash: 04211471C003499FDB10DFAAC881BEEBBF5FF48310F54842AE919A7250C779A941CBA5

Function 05461638 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 054616B6

Memory Dump Source

Source File: 0000000B.00000002.1399637151.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5460000_eeXxnIpy.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 418cd5ace3ea9ca5aef59655ecf808f0da8512658995d37cc815219f3a04e986
Instruction ID: ae2dc9e6c5bd8749f8ab74a1502456d56d460f7cfdb6a348b88600bd982c22bf
Opcode Fuzzy Hash: 418cd5ace3ea9ca5aef59655ecf808f0da8512658995d37cc815219f3a04e986
Instruction Fuzzy Hash: 9A213475D003098FDB10DFAAC485BEEBBF5AF48220F54842AD419A7241CB78A945CFA5

Function 05461B41 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05461BB6

Memory Dump Source

Source File: 0000000B.00000002.1399637151.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5460000_eeXxnIpy.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 877d8bdf53d9cac5a1b2078c0b2ef0bb401c68eb097cabfd3a626c3c3f9155fa
Instruction ID: 9e02d44ca2de1dbd3c7aea591f3e0c9b965c7f7cd5bde51d255230d3160cdd63
Opcode Fuzzy Hash: 877d8bdf53d9cac5a1b2078c0b2ef0bb401c68eb097cabfd3a626c3c3f9155fa
Instruction Fuzzy Hash: 26118975C003498FDB20DFAAC844BDEBBF5EF48320F14841AE925A7240CB35A541CFA0

Function 05461B48 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05461BB6

Memory Dump Source

Source File: 0000000B.00000002.1399637151.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5460000_eeXxnIpy.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2be7296f7d89c03fec3fe262b14e3d257faa6451b96ca3db331bb05e315f137b
Instruction ID: 129c6f17883da0946f41cfa4aefd298d6fe5eb0135ca5cf3a95e0b2aea99b5e0
Opcode Fuzzy Hash: 2be7296f7d89c03fec3fe262b14e3d257faa6451b96ca3db331bb05e315f137b
Instruction Fuzzy Hash: AD112675C003499FDB20DFAAC845BDEBBF5EF88320F14841AE529A7250CB75A941CFA1

Function 05461581 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 054615EA

Memory Dump Source

Source File: 0000000B.00000002.1399637151.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5460000_eeXxnIpy.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7fb076ab98acbe7b872b255886e3509eb74e4460e181db4b5293991df57860cd
Instruction ID: 32ae0a55ec0b5d1d76825455fc1cc3c18f1c537f6b66dde4f9f75ecfe83b9c1d
Opcode Fuzzy Hash: 7fb076ab98acbe7b872b255886e3509eb74e4460e181db4b5293991df57860cd
Instruction Fuzzy Hash: 91115875C003488FDB20DFAAC8457EEFBF5EB48220F24841AD519A7240CB75A941CF95

Function 05461588 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 054615EA

Memory Dump Source

Source File: 0000000B.00000002.1399637151.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5460000_eeXxnIpy.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 010ebbb6d47b3192dfd9e786bd7b60a079eec6ba7b1291f52864fa7d1db46d4a
Instruction ID: 7e834fbb21212a4eb4a7d9478363c8a4b22c9a076bab58d31a67f8ada09c5d38
Opcode Fuzzy Hash: 010ebbb6d47b3192dfd9e786bd7b60a079eec6ba7b1291f52864fa7d1db46d4a
Instruction Fuzzy Hash: C8112575D003498FDB20DFAAC8457DEFBF5AB88220F24841AD519A7240CB79A941CFA5

Function 05461FA0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05465A4D

Memory Dump Source

Source File: 0000000B.00000002.1399637151.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5460000_eeXxnIpy.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5773efa7872b24bc24af06321eeeaf2663d50e1ed76bca34a20ddfaed74320b2
Instruction ID: 082d24f124a4c21078776e31b9776ad7288f3dc4ca9011fdb4d42fe79a632154
Opcode Fuzzy Hash: 5773efa7872b24bc24af06321eeeaf2663d50e1ed76bca34a20ddfaed74320b2
Instruction Fuzzy Hash: FF11E0B58003499FDB20DF9AC885BDEBBF8EB48320F10841AE519A7241C375A944CFA5

Function 054659EA Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05465A4D

Memory Dump Source

Source File: 0000000B.00000002.1399637151.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5460000_eeXxnIpy.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: dd7243cd87df0a95a2feab715b5d68f20e762cfe683cdf722a6ae51b7c34fcda
Instruction ID: aa9ba1aa8506711a757e3cb0485a562af2725cd277492d721c544e13cfb79183
Opcode Fuzzy Hash: dd7243cd87df0a95a2feab715b5d68f20e762cfe683cdf722a6ae51b7c34fcda
Instruction Fuzzy Hash: B11103B98003499FDB10DF9AD885BDEFBF8EB48320F14841AE558A7700C375AA45CFA5

Function 0163D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1382092548.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_163d000_eeXxnIpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672651c8d0601cc9a92f4cdc1ccf7735126d5a5560b481f76e2579b6a422cb40
Instruction ID: 1ae1ef9898474d735b870a78792a632e16e1fed85f998c56b2b0566c80e0714d
Opcode Fuzzy Hash: 672651c8d0601cc9a92f4cdc1ccf7735126d5a5560b481f76e2579b6a422cb40
Instruction Fuzzy Hash: 2A21CFB2604240EFDB15DF54D9C0B26BF66FBC8328F64C569E9090A296C336D456CAA2

Function 0163D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1382092548.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_163d000_eeXxnIpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b837649014baa8886fa4110121bb7d0f2f21f14f7a0eaa0624323421216254
Instruction ID: 3f0c75c73eb6918f853b6b0b31094caaf52f5b21e3a665058777a22f98b955bd
Opcode Fuzzy Hash: 77b837649014baa8886fa4110121bb7d0f2f21f14f7a0eaa0624323421216254
Instruction Fuzzy Hash: FE21F171604204DFDB15DF54D9C0B5ABB65FBD8324F60C169E90A0B357C336E856CBA2

Function 0164D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1382166709.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_164d000_eeXxnIpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee7af6b978a29a436e010bcf22790feb58e28e995e835b9025cd1fb21badb2ad
Instruction ID: 363932589aa7fac6891f685cf6832bfcef87411ed30cd89dc1f4a9a6c94e5206
Opcode Fuzzy Hash: ee7af6b978a29a436e010bcf22790feb58e28e995e835b9025cd1fb21badb2ad
Instruction Fuzzy Hash: D721F271A04200EFDB15DF94D9C4B26BBA5FB94324F20C6ADEA494B396C336D847CA61

Function 0164D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1382166709.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_164d000_eeXxnIpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 270fc7c807cfcb4bcfb54a57d141a6ffef8d376b5e2e1b60bc0a3e5b6c542147
Instruction ID: 98d9830518701a9c69aa1b96e79df67415273a5b9907080dce381d684ad0107b
Opcode Fuzzy Hash: 270fc7c807cfcb4bcfb54a57d141a6ffef8d376b5e2e1b60bc0a3e5b6c542147
Instruction Fuzzy Hash: 3721F275A04300DFDB15DF94D9C4B16BB65EB94B14F20C5ADD84A4B386C33AD847CA62

Function 0163D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1382092548.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_163d000_eeXxnIpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: 7f288e6d8e9a9af046c0aa29870d05936ec1d67b23db34e739b56fc914ea8ee3
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: AB11B176504280DFCB16CF54D9C4B16BF72FB84324F24C6A9D8490B697C336D456CBA1

Function 0163D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1382092548.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_163d000_eeXxnIpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: 51ae4b0cd909fe24c7b5fdfd27f5a4a7fabe4be39deaf8b5fd9be9d9e5e29895
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: D611DCB6504280DFCB06CF54D9C0B56BF72FB84324F24C2A9D8490B257C33AE45ACBA2

Function 0164D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1382166709.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_164d000_eeXxnIpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: 7f684a1958e63487303f224c4642d12b49b6f3dbba5afc02f81cc982fbe9d429
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: DF11BE75904280CFCB16CF54D9C4B15BB62FB44714F24C6ADD8494B796C33AD40ACB61

Function 0164D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1382166709.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_164d000_eeXxnIpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: 9598c7b8b52cf0bfd92c681aeff0a8343b1656b251fce5f40f707d7410a27752
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: C011BB75904280DFCB06DF54C9C4B16BBA2FB84324F24C6ADD9494B396C33AD40ACB61

Function 0163D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1382092548.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_163d000_eeXxnIpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bcd261c9112641c89834c50127fe403ae9b7e1e52693862d1b44b3fad324e1a
Instruction ID: c7a9b201e2a940fe90203c3946b9c254355dd3c72d1832d4361fcfe10c132f9f
Opcode Fuzzy Hash: 3bcd261c9112641c89834c50127fe403ae9b7e1e52693862d1b44b3fad324e1a
Instruction Fuzzy Hash: 220126714083809FE7224AA5CCC4B77FFA8DF81621F58C41AED080B387C338A841CAB2

Function 0163D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1382092548.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_163d000_eeXxnIpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75215646e480dd84db2b28de546e01d58e0e63d56558691b79aa23f6b6ee4e37
Instruction ID: 1fc25b9a9eaf7acdb8ff0818084d53cc941c3d79e1df96adbd9ed9b004d771f7
Opcode Fuzzy Hash: 75215646e480dd84db2b28de546e01d58e0e63d56558691b79aa23f6b6ee4e37
Instruction Fuzzy Hash: E0F06D71405384AEE7258A5ADC84B62FFA8EF91635F18C55AED084B387C379A844CAB1

Analysis Process: MSBuild.exePID: 5960, Parent PID: 8016COMMON

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	4

Executed Functions

Function 01229B38 Relevance: 2.8, Instructions: 2803COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a29b8214e3de1fd2050200cfe4dea8d19b26331e8fc3969737df0dad82df6c4e
Instruction ID: 1931b961fb2a30ecfa743700e16954421ffb8b77b9eb16ce65ebd8ec0ec4a487
Opcode Fuzzy Hash: a29b8214e3de1fd2050200cfe4dea8d19b26331e8fc3969737df0dad82df6c4e
Instruction Fuzzy Hash: 7653F731C10B1A9ADB51EF68C8805ADF7B1FF99300F15C79AE4597B121EB70AAD4CB81

Function 0122D021 Relevance: 2.1, Instructions: 2055COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09c97b397ab88bb3f5d1452689f25d31049c7406c73eec6792a361ea5a0c503
Instruction ID: aefa98f360b5d979ddb1d9f053af2ab1ff66bd7db7deb7e666ba0b3953e3e76f
Opcode Fuzzy Hash: b09c97b397ab88bb3f5d1452689f25d31049c7406c73eec6792a361ea5a0c503
Instruction Fuzzy Hash: 91230D31D10B1A9EDB11EF68C8806ADF7B1FF99300F55C79AE458A7211EB70AAC5CB41

Function 01229378 Relevance: .6, Instructions: 619COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15bc176ee9ded7e47e9749ef917fb8ea073c00cecc0db99631947fffa7b92f2
Instruction ID: d8545c1938c54bee041639284a12713354e76ef474671c338d763c165ea793b8
Opcode Fuzzy Hash: f15bc176ee9ded7e47e9749ef917fb8ea073c00cecc0db99631947fffa7b92f2
Instruction Fuzzy Hash: 4E327B34A102259FDF24DF68D580BADBBB2FB88314F248569E90ADB355DB71DC81CB50

Function 01224A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc0dd74aa0dac490f9d2d52ba1d63e3aa7465ca1dd72acafa51980d66205a3d6
Instruction ID: d36593efddf5110cc31a2ae52c889987efcaa94bf71e1aa3aa6cc1efc3217aae
Opcode Fuzzy Hash: cc0dd74aa0dac490f9d2d52ba1d63e3aa7465ca1dd72acafa51980d66205a3d6
Instruction Fuzzy Hash: 30B17E70E1026A9FDB24DFADD8817DDBFF2AF48314F148129D914E7294EB749881CB81

Function 01223E80 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be3dfde1e0e45c1e71acf311d603f3f49ee8f8af086b847a45fa1e4af9cc7b4
Instruction ID: 29db64d963673d77f8c2e9f5bb30d96dcabd1fcc721895bcaeda94a0c362f438
Opcode Fuzzy Hash: 3be3dfde1e0e45c1e71acf311d603f3f49ee8f8af086b847a45fa1e4af9cc7b4
Instruction Fuzzy Hash: 32917E70E1035AAFDB24DFA8D885BDDBFF2BF58304F248129E505A7254DB789885CB81

Function 01226ED8 Relevance: 2.6, Strings: 2, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LRq, xrefs: 01226FE9
LRq, xrefs: 01226F0E

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID: LRq$LRq
API String ID: 0-3710822783
Opcode ID: 316bf8c8b0358a956c0bffa22a9d6dc60daac0b3ac604fdb814377d6093ee698
Instruction ID: 4b2a2825ebe676338cea2dcedd8d1de7b91f583b8682d7cda85ebd2f6624914f
Opcode Fuzzy Hash: 316bf8c8b0358a956c0bffa22a9d6dc60daac0b3ac604fdb814377d6093ee698
Instruction Fuzzy Hash: CC41C431E202259FDB15DFB8C4517AEBBB2FF89300F20846AE406EB291EB759D45CB40

Function 05F4E188 Relevance: 1.6, APIs: 1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.2573657250.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5f40000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f09f9eef51726b137091f11948af3f6d7b81f478f0096b632bdbf2a210acbf65
Instruction ID: 4316f6fdd00955e3cdf18c378ef8932c32bdb02366356779083332b2e6fc63a5
Opcode Fuzzy Hash: f09f9eef51726b137091f11948af3f6d7b81f478f0096b632bdbf2a210acbf65
Instruction Fuzzy Hash: CE413272E143558FCB14DFA9D8007AEBFF5BF89210F14866AD509E7390DB389941CB91

Function 05F4D578 Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.2573657250.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5f40000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39b04933699ec1b9d42498e2838c94a4d17a8f4a8138a2b32d5f87aad68968bb
Instruction ID: 0a995f016e0f84cb22745476aba4019b955d005eec4cba3843a5ab4496f89415
Opcode Fuzzy Hash: 39b04933699ec1b9d42498e2838c94a4d17a8f4a8138a2b32d5f87aad68968bb
Instruction Fuzzy Hash: CE41F272C183999FDB11DF69D8406DABFB4FF06224F04846AD404EB242E7785805CFE5

Function 05F4D56C Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05F4E1DA), ref: 05F4E2C7

Memory Dump Source

Source File: 0000000F.00000002.2573657250.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5f40000_MSBuild.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 22a9e55b89bd4ca783d6d8256921bd70d5453c8f3a8ee30a788132cde7c4608e
Instruction ID: 5712d54385619bf20305fbd7f15cf8a640f9b86992e9a6ee29d479cd88190f24
Opcode Fuzzy Hash: 22a9e55b89bd4ca783d6d8256921bd70d5453c8f3a8ee30a788132cde7c4608e
Instruction Fuzzy Hash: DC1117B1C106599BCB10DF9AC445BDEFBF4FF48320F10856AD918A7240D778A941CFA5

Function 05F4E259 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05F4E1DA), ref: 05F4E2C7

Memory Dump Source

Source File: 0000000F.00000002.2573657250.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5f40000_MSBuild.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 74285670a2b2df5442ab49285f2dee0252d85830f835e19cb091dedc2011a816
Instruction ID: 2a04eda7a29bcabc76b56d0ef499c1e85d8158fa98459953353e55c66f08203e
Opcode Fuzzy Hash: 74285670a2b2df5442ab49285f2dee0252d85830f835e19cb091dedc2011a816
Instruction Fuzzy Hash: 051103B1C1065A9BCB10DF9AC445BDEFBF4BF48320F14812AD918A7240D778A9418FA5

Function 0122F2ED Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

PHq, xrefs: 0122F43B

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: 114a5b2499d3ffd102b0be407aeb1e8227e2ffd011ae7f4ace7239b004bb4147
Instruction ID: ee0e4b05614287ed159e1c7bc23308fb5d68290ddf79fd33b9e6e95bfae019d6
Opcode Fuzzy Hash: 114a5b2499d3ffd102b0be407aeb1e8227e2ffd011ae7f4ace7239b004bb4147
Instruction Fuzzy Hash: 3C31FC31B102169FDB29AB38D65476E3BB2EB88600F24446DE502DB3A5DF71DC06CB90

Function 0122F300 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHq, xrefs: 0122F43B

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: 7beaf7e04862024600d89e2744e90fb323f14cb0f0d4c807b31a9c57894d59c4
Instruction ID: ac7762bf64e7859aa6193068278b0eb1db4643e6b182209ba68681ad34f3f080
Opcode Fuzzy Hash: 7beaf7e04862024600d89e2744e90fb323f14cb0f0d4c807b31a9c57894d59c4
Instruction Fuzzy Hash: BF31FC31B0021A9FDB29AB39D65476E7BF2AF88700F244469D502DB395DE71EC06C790

Function 01226F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LRq, xrefs: 01226FE9

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 28603f3fbbd231cd9302dffec5374bc4713463c74e93fcdbe235ab7abdcd1f19
Instruction ID: d039d896f921d6b371d0a57cb3479c1573d9f2dbbda5061054b6b25b446fb689
Opcode Fuzzy Hash: 28603f3fbbd231cd9302dffec5374bc4713463c74e93fcdbe235ab7abdcd1f19
Instruction Fuzzy Hash: D731A835E2021A9FDF15CFA9C450B9EB7B2FF85300F508515E905EB240EB759D45CB40

Function 01226BA1 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

LRq, xrefs: 01226BD7

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 532cc18c817ba6969266dc12e1ce415da32ee66409042f7b05bead1e47d516e1
Instruction ID: cc8c062e6312be7dcf63aedcffeb84e0e82cec3d925cf1918e5629126d8be061
Opcode Fuzzy Hash: 532cc18c817ba6969266dc12e1ce415da32ee66409042f7b05bead1e47d516e1
Instruction Fuzzy Hash: FB11E0326082805FD301AB78D424B6E7FB6AF86710B1484AED046CB396DE3698058796

Function 0122790B Relevance: .6, Instructions: 553COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d1fd9e6264f8368c4bb1ba4d3a16c7d63a601066fd4150d3444c7866bc9f846
Instruction ID: b1e27de1aa22007f967247b3536dce42f7487a040e23c1e28df4e8f9ee5c1f9d
Opcode Fuzzy Hash: 5d1fd9e6264f8368c4bb1ba4d3a16c7d63a601066fd4150d3444c7866bc9f846
Instruction Fuzzy Hash: 07126D347202129FDB26AB38E49562C37A3EBC9355B604A39E105CF356CF75ED4B8B81

Function 01224A8F Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c581bdecb84008ebfd7f9362f0453a07ae095b160e5262c44f4d57f9220311a
Instruction ID: 8ff360ad8d82c26984e28206fb43362ca3165fdab56834a0520e5b1f35b0d907
Opcode Fuzzy Hash: 9c581bdecb84008ebfd7f9362f0453a07ae095b160e5262c44f4d57f9220311a
Instruction Fuzzy Hash: DBA15F70E2026A9FDB25DFACD8817DDBFF1AF48314F148129D914E7294EB749885CB81

Function 01229364 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f7c943e3465633135720d0fea4e815d48a369df8015260283a20804df54a94e
Instruction ID: 59baa622dd055ba3d6b086e3d6d63105c7e0e7fb91db0d1893e3cc5f8e92982d
Opcode Fuzzy Hash: 1f7c943e3465633135720d0fea4e815d48a369df8015260283a20804df54a94e
Instruction Fuzzy Hash: 5491AF34A102259FDF24DF68D580AADBBF2EF88315F148429E906D7355DB31EC82CB40

Function 01223E77 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ce490a37ac260c480071f96289b9e44543c49964a562f86c8447583d5ef4cb
Instruction ID: 15ada904f763c84920239747a9a63b1aa10a3e7ec248cc2e562cfd8db4a71847
Opcode Fuzzy Hash: 52ce490a37ac260c480071f96289b9e44543c49964a562f86c8447583d5ef4cb
Instruction Fuzzy Hash: 3A917F70E1025AEFDB24DFA8D885BDDBFF2BF58304F248129E505A7254DB789885CB81

Function 01222844 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86cba95208b036f939b3bad1418e7df4428271fc66abcc5f961f7960c50c322a
Instruction ID: 4e6738a06dca80281204cb8e21e28d473e3eae4ffdd8f90bf88ed36b3658bbc0
Opcode Fuzzy Hash: 86cba95208b036f939b3bad1418e7df4428271fc66abcc5f961f7960c50c322a
Instruction Fuzzy Hash: 38818670D10359EFEB25CFA9C880BEEBFB0AF08310F148059E915AB250DB76984ACF51

Function 01224810 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31fe1c2f67ada68c470f991748a176557a80f941b1a5cea35f38226ffa5fc297
Instruction ID: 7138c709d9695ea3def06ef753e41f1e62efc27945eb9e771bb3336b1eca7f18
Opcode Fuzzy Hash: 31fe1c2f67ada68c470f991748a176557a80f941b1a5cea35f38226ffa5fc297
Instruction Fuzzy Hash: BD718E70E2039A9FDB14DFA9C8807DEBFF2BF88314F148129E515A7254DB749841CB95

Function 01224804 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49a5a5243441e3a62533e2ac1b1bd20262c74459d3cbe131203410ce1a59fe51
Instruction ID: c718cc5c49b03dabb8cd9be3a6710622c590d5d683d7b38f8ba05554b9a00873
Opcode Fuzzy Hash: 49a5a5243441e3a62533e2ac1b1bd20262c74459d3cbe131203410ce1a59fe51
Instruction Fuzzy Hash: 2B719C70E2039AAFDB24DFA9C8807DEBFF1AF48314F148129E514AB254DB749841CF95

Function 01226CE8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ab603316bfc3dc91af7c6f04ffc4e31c07c0d58c167360f907fdf264f4519e8
Instruction ID: 071a3cc88502adefae2693368a88188cc180255de8cc11926b8618e6803c9357
Opcode Fuzzy Hash: 4ab603316bfc3dc91af7c6f04ffc4e31c07c0d58c167360f907fdf264f4519e8
Instruction Fuzzy Hash: 20513471D202299FDB18CFA9C885B9DBBF1BF48310F158129E815BB351DB74A880CF95

Function 01226CDD Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec08bdb52a731ac432bb07c901eead26bc4cf33dbdbddcb10888a684cf87bdf5
Instruction ID: 0058404f3db4e23c7eaa1b3c221df2785d381952643b05d74e56a3ab7013ead8
Opcode Fuzzy Hash: ec08bdb52a731ac432bb07c901eead26bc4cf33dbdbddcb10888a684cf87bdf5
Instruction Fuzzy Hash: 8D513471D202299FDB18CFA9C885B9DBBF1BF48310F14812AE815BB351D774A884CF95

Function 0122112B Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0bda9a69aa56f4dd05291011bd9d8975a7a17315a1c5cb4242e3105342b185
Instruction ID: c2f0b9eaac4f46dd7358f64365e31c32bcc42112656f72c9c4ec2a9ea365ba4b
Opcode Fuzzy Hash: 4f0bda9a69aa56f4dd05291011bd9d8975a7a17315a1c5cb4242e3105342b185
Instruction Fuzzy Hash: 985150742212568FCF36FB29FE809453FA1B7D930D3448969D1085FA7EDB742A4ACB81

Function 01221138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df33827144c56e371d8fb5d229878d678753815e1a6ac2bab399b554cdf26102
Instruction ID: 4049dae8d66c6c9a33f687440264827dd5f459c25c8af17fda6b7a735069267b
Opcode Fuzzy Hash: df33827144c56e371d8fb5d229878d678753815e1a6ac2bab399b554cdf26102
Instruction Fuzzy Hash: BB515E742212468FCF36FB29FE809453FA1B7D930D3448969D1085FA7EDB742A4ACB81

Function 01229150 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e54aa733f1f9e98250de9972d78d8922d78fbb8adec102dca5aa5ecbe699e4d
Instruction ID: e68073743d414cf78bb3ba71587e5ffb173643ec07536e564bb06a2aee3b0eee
Opcode Fuzzy Hash: 2e54aa733f1f9e98250de9972d78d8922d78fbb8adec102dca5aa5ecbe699e4d
Instruction Fuzzy Hash: 4F31E630E102369BDF09CF69D45569EBBB2EF85314F20862AE805EB341DB71DC86CB50

Function 0122F1B0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dcf61a13a1a097ec2e138740c0ebfe626b061b9c3743c54c38cbb770b9b2c92
Instruction ID: cdb2d917f2faeeb0964fa52dd8f9cce5dcc45feb6a64d2333d277b0bca06e034
Opcode Fuzzy Hash: 4dcf61a13a1a097ec2e138740c0ebfe626b061b9c3743c54c38cbb770b9b2c92
Instruction Fuzzy Hash: 8D316E35E206169BCB19CFA8D59569EBBB6BF8A310F10C529E805E7355EB70EC41CB40

Function 0122F1C0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c38281ed2167cffce50cb4e56b82e073e97735a33060f8b1055f39512c413c7
Instruction ID: 03125eb9a6af8c87c8d2b7b1ba6494eccf0c7b05f1e0e398f72b88345845215e
Opcode Fuzzy Hash: 5c38281ed2167cffce50cb4e56b82e073e97735a33060f8b1055f39512c413c7
Instruction Fuzzy Hash: FA316035E206169BCB19CFA9D55569EBBF2BF8A310F10C629E805EB355EF70AC41CB40

Function 012226DC Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9fb00821877085253f9d0bc37ec400f96fecc94c21492e14eb33b83d5b3a9c6
Instruction ID: 110676cea4fd40fe5935c59552a6728c031684fe841800f942248de13b1dafa6
Opcode Fuzzy Hash: b9fb00821877085253f9d0bc37ec400f96fecc94c21492e14eb33b83d5b3a9c6
Instruction Fuzzy Hash: 6341FEB0D10349DFEB24DFA9C480ADEBFB1FF48310F10842AE819AB250DB759946CB91

Function 012226E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 544a8a9fd7b12da110b7667f39b8a09711c2a7e34bee159bb2f41c87007b091e
Instruction ID: b6eca12b1a6693dba77ad8f9f8b1303f8ba068a6e45d7dde32977bdf9c0bcedb
Opcode Fuzzy Hash: 544a8a9fd7b12da110b7667f39b8a09711c2a7e34bee159bb2f41c87007b091e
Instruction Fuzzy Hash: 6441EEB0D10349EFEB14DFA9C480A9EBBB5BF48310F108029E919AB250DB75A946CB91

Function 0122924F Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 585ed862952313d7e5b442da2d60e48142162b4c2e15aec3b45642eac5494659
Instruction ID: 2a792b82b8bb07fb5ed49838921d15d580114712fcb43d0079c875e09e4b4919
Opcode Fuzzy Hash: 585ed862952313d7e5b442da2d60e48142162b4c2e15aec3b45642eac5494659
Instruction Fuzzy Hash: E931A231E102269BDF05CF68D49079EFBB2FF8A314F50C229E905EB245DB709881CB90

Function 01229260 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5e926b619af81655834e268af36d0db2e067341b1704f5881e790838ac528b
Instruction ID: c1c2e9c529632aadd3644fdbe13c047809c9069155d3c682b4ebc2434670bf36
Opcode Fuzzy Hash: 2c5e926b619af81655834e268af36d0db2e067341b1704f5881e790838ac528b
Instruction Fuzzy Hash: 14217330E102269BDF15CFA9D48169EF7B2FF89304F50C629E905EB245DB719885CB50

Function 0122137F Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b1ee9d9f5f383cdcae09bc1970d85936792646ec839176dc1199577a8e1af19
Instruction ID: 9c908448cb0aba8988bc3be5bb35d2084eede6540dcbd56ac3bdf28318158445
Opcode Fuzzy Hash: 7b1ee9d9f5f383cdcae09bc1970d85936792646ec839176dc1199577a8e1af19
Instruction Fuzzy Hash: 39210B306301226BDB32536CE485F7D3B63E741315F504829E64AC7786DA3DC896C782

Function 012216A3 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef275469f0e8be0911d778887ea43a63086dfa04ea6677d17e322fcdf787236
Instruction ID: 0eedcec9dc21b1ba77b1d9b9603ba926b9ff8378f7a42310e35aefa690802a87
Opcode Fuzzy Hash: fef275469f0e8be0911d778887ea43a63086dfa04ea6677d17e322fcdf787236
Instruction Fuzzy Hash: EC2198385302115FDF36EB28E944F6D3795EB88319F548A20D10ACB65BDB38D8568BD1

Function 01224F8B Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84241631b62b63dcc5fa34e0d86789fcb7c8e0617f7b463cce935114f1ec953e
Instruction ID: 34ffc4f9afd263f13f234c7add5b66a0a0a463264f177badc6600056c763cd5d
Opcode Fuzzy Hash: 84241631b62b63dcc5fa34e0d86789fcb7c8e0617f7b463cce935114f1ec953e
Instruction Fuzzy Hash: 92211930710219DFDB64EB78D959AAD7BF1EF8D204B104469E506EB364DF3A9E00CB91

Function 00E7D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2564378322.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e7d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca19342be922b31c2f096b3a357aeaad9e2158495dc7b822baea0878a345767a
Instruction ID: 2235681166d6fbcec270752d0d4b4434a561cc42d964e45771e30f8974b1239a
Opcode Fuzzy Hash: ca19342be922b31c2f096b3a357aeaad9e2158495dc7b822baea0878a345767a
Instruction Fuzzy Hash: 7021D071608204DFDB14DF14DD84B26BBB6EF84318F24D569D84E5A296C336D847CA62

Function 00E7D005 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2564378322.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e7d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d2d720a61965986131831cb0de9d8f7328cb8c1cbef9db8046940305688b0fb
Instruction ID: 53956425c71e2f1b127a354cc69add38ab562882d35cc6b5190b9f3d6949b1ee
Opcode Fuzzy Hash: 3d2d720a61965986131831cb0de9d8f7328cb8c1cbef9db8046940305688b0fb
Instruction Fuzzy Hash: 7021397150D3C09FCB078B24D994711BF71AF46214F29C5EBD8898F2A7C23A981ACB62

Function 01229160 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 569191572470bf83e05e299fc03311ceb9e2b315ef6b79a9a52856b34a69f278
Instruction ID: 32b641b093c0add5e637e38bfcdb4121fefaf703ac633b6a70cb2a3f867943f5
Opcode Fuzzy Hash: 569191572470bf83e05e299fc03311ceb9e2b315ef6b79a9a52856b34a69f278
Instruction Fuzzy Hash: F0218630E1022A9BDF09CF69D45469EB7B2AF49314F10861AE815B7351DB719985CB50

Function 01221878 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87ddb63819fdc8a3eadf02bfbe1d9793c3741a94ce80bc8fce6a4ce2c367e198
Instruction ID: ccda1621387ecaaef96344d8283a7e7c4f73f685febc6ded27f8296fb4662b5f
Opcode Fuzzy Hash: 87ddb63819fdc8a3eadf02bfbe1d9793c3741a94ce80bc8fce6a4ce2c367e198
Instruction Fuzzy Hash: D6218E30B202669FEF25EB78C554BAD7BF2AF49204F10046ED506EB260DF768D51CB61

Function 01221888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afdd9277caa34793acc14ceb466e847725464190e7672aeed40350452a675856
Instruction ID: de9a355b8f91e52ec97762d6835e72fba513b1c244e329b500638c5a828ec81a
Opcode Fuzzy Hash: afdd9277caa34793acc14ceb466e847725464190e7672aeed40350452a675856
Instruction Fuzzy Hash: 6B216D30B202269FEF24EB78C554BAE77F2AF89204F200469D506EB350DF369D51CBA1

Function 012216B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25492287dd213f26cf76a12c3e9bc501ba465e2f66914818b92671ca239661f0
Instruction ID: a5a51978665bd14a2de2e1078b9eb53e753b948ac24cf3ccc4c4b9159245b3f6
Opcode Fuzzy Hash: 25492287dd213f26cf76a12c3e9bc501ba465e2f66914818b92671ca239661f0
Instruction Fuzzy Hash: 69218A385302115FDF36EB28E944F6D3795EB89319F508920D109CB65ADB38D8558BD1

Function 01224F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88bc990b42fcef1f4df6cf826d48ee827b9b40402014f083fb65702942fdd958
Instruction ID: 4e07f5c3f30ee05f9d18b0ab34308394fe9a64a69c0579cde04380ad5200591f
Opcode Fuzzy Hash: 88bc990b42fcef1f4df6cf826d48ee827b9b40402014f083fb65702942fdd958
Instruction Fuzzy Hash: 4E213930710219DFDB64EB78D958AAD7BF1EF8D204B104469E506EB3A0DF3A9E00CB90

Function 01220848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d53591ea91bd8a613b18b5853dc2ac3ab30a7ef6dfe9cb892a4f8e8e04b24a6
Instruction ID: f0ca651a6f6245724266bb6dea5fc56ac708dbf518c9ebbea69e6caa21d729a7
Opcode Fuzzy Hash: 3d53591ea91bd8a613b18b5853dc2ac3ab30a7ef6dfe9cb892a4f8e8e04b24a6
Instruction Fuzzy Hash: FF11E730B20226ABEF256A7DD44473F3696EB85214F11493AF106CF342DEA5CC858BC6

Function 01220838 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a14b026d2eed8637c1d27536c104827037e2c2ac6acd0c40266611a1d27ac025
Instruction ID: a3fd1dc157fc1877c0dbcc446e0a1138e0a8c833c9daf204fcc49eee11b73fb6
Opcode Fuzzy Hash: a14b026d2eed8637c1d27536c104827037e2c2ac6acd0c40266611a1d27ac025
Instruction Fuzzy Hash: 09112C31F30226BBEF266A79D40137F3692DB85214F11843AF106CF243E9A5CC418BC6

Function 012217C0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e96e5d71f766223e4b352a5397b91e455515d5f80918fa0cfc6877217acb80db
Instruction ID: 7da11b7495c6e5cd72a907df3c09c69337efcdc11f2b111c134790680fb123ad
Opcode Fuzzy Hash: e96e5d71f766223e4b352a5397b91e455515d5f80918fa0cfc6877217acb80db
Instruction Fuzzy Hash: E511A071F20321AFDF14AE799905A6E3FE6FB88650B104825EA06D7348EF34C9128791

Function 01221488 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c769a60eb4dee8322d12a4d1ec47f0f9ae02b44dc01a317ad84030c4c68e9a1
Instruction ID: 1dc27006806d5a3f9566f4e2fdf4f6734d46589b8c9bb8e70c5043565d7c1ab5
Opcode Fuzzy Hash: 4c769a60eb4dee8322d12a4d1ec47f0f9ae02b44dc01a317ad84030c4c68e9a1
Instruction Fuzzy Hash: 3D11A131E20226AFCF21EFBC9450AAE7BF5FB58210B14047AD505E7301EB35D952CB94

Function 01221498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04905504874dc85b6da9813fcca9815eb49e6a1ccbf3308ff38eeeb2499d0e78
Instruction ID: 925632387e841fb19d0c6177c6e207931225b116a16a871badd2d8dcb96ca744
Opcode Fuzzy Hash: 04905504874dc85b6da9813fcca9815eb49e6a1ccbf3308ff38eeeb2499d0e78
Instruction Fuzzy Hash: C4018031E21226AFCF21EFBC94509AE7BF5EB48210B14047AD505E7301EB35D951CB95

Function 012280F1 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12730fe72cdfb3abb4d634d3d24210c4dbdc912f3f9e08b7827690bc74aed394
Instruction ID: f15c79ecac533208af794c8ddd9a921ad62c46e00a683c3b7ead6ad3134ee125
Opcode Fuzzy Hash: 12730fe72cdfb3abb4d634d3d24210c4dbdc912f3f9e08b7827690bc74aed394
Instruction Fuzzy Hash: 8501B5349103589FCB51EB78E94069D7FF1AB45304F5086A8D004AF18FEE356A05DB42

Function 01221524 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af583d5e57399797f2bb3a368af90937a29bbf85f404f08e3e78a65934de08da
Instruction ID: 846b6451c05e3804c2353a05fe468f287c963d66742cb90a42284426c1eb6ba9
Opcode Fuzzy Hash: af583d5e57399797f2bb3a368af90937a29bbf85f404f08e3e78a65934de08da
Instruction Fuzzy Hash: AFF08B33A24131EFCB228BA8A4909BC7F70FE5821171C00D7D946DB210C635D422C701

Function 01227090 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba206a34863232aa8512086c3c49f983f5bacc2b4a7389b7a728bd8d5498c15b
Instruction ID: 2f4158e3600d92227ddf407df53c301558e29b77e3884b717d0326b623494d69
Opcode Fuzzy Hash: ba206a34863232aa8512086c3c49f983f5bacc2b4a7389b7a728bd8d5498c15b
Instruction Fuzzy Hash: 00F0B239B102188FC714DB68D5A8B6C7BB2EF88355F5144A8E5069B3A4DF35AD46CB40

Function 01228100 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2565889838.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81e3472bcd52fd227a1b627365e5d6d414634bebfb5a375344ea48b086cae4ea
Instruction ID: bb466446049b8ddfb056167dab570d2d5ba210fc858b6a02fef04014dd9f31aa
Opcode Fuzzy Hash: 81e3472bcd52fd227a1b627365e5d6d414634bebfb5a375344ea48b086cae4ea
Instruction Fuzzy Hash: 4FF031349202189FDB51FFB5F94169DBBF1AB44304F9086A8C008AB25AEE357E09CB81

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SOA-Al Daleel.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Networking

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SOA-Al Daleel.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eeXxnIpy.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ectwbuih.5cg.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mnyspowo.u10.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ohak1fj1.vyt.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uqxq0o4h.eom.ps1

C:\Users\user\AppData\Local\Temp\tmp2314.tmp

C:\Users\user\AppData\Local\Temp\tmp2F78.tmp

C:\Users\user\AppData\Roaming\eeXxnIpy.exe

C:\Users\user\AppData\Roaming\eeXxnIpy.exe:Zone.Identifier

Static File Info

Windows Analysis Report
SOA-Al Daleel.exe

Function 07483D50 Relevance: 9.0, Strings: 7, Instructions: 280
COMMON

Function 07483D43 Relevance: 5.3, Strings: 4, Instructions: 277
COMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre