Edit tour

Windows Analysis Report
Wave.exe

Overview

General Information

Sample name:	Wave.exe
Analysis ID:	1483697
MD5:	df016abe8bfe2653c1dca38309260358
SHA1:	253c95a2b7f13d39b9a03ba9a52785258e439340
SHA256:	328b42682ffc73069ed31d0a9360aaf75e756cc2e51a280ef9849b9e836a990d
Tags:	32exeOrcusRATSudoRAT
Infos:

Detection

Discord Token Stealer, Orcus, SugarDump

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Discord Token Stealer

Yara detected Orcus RAT

Yara detected SugarDump

.NET source code contains potential unpacker

.NET source code contains very large strings

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to disable the Task Manager (.Net Source)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Wave.exe (PID: 6528 cmdline: "C:\Users\user\Desktop\Wave.exe" MD5: DF016ABE8BFE2653C1DCA38309260358)

universal_.exe (PID: 6696 cmdline: "C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe" MD5: DF016ABE8BFE2653C1DCA38309260358)

MSBuild.exe (PID: 6868 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cmd.exe (PID: 5468 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{abe5374c-2074-44b6-9bd8-3500b416e91c}.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 3428 cmdline: ping 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)

cmd.exe (PID: 7096 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo j " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 7116 cmdline: C:\Windows\system32\cmd.exe /S /D /c" del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 4428 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo j " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 2504 cmdline: C:\Windows\system32\cmd.exe /S /D /c" del C:\Users\user\AppData\Local\Temp\{abe5374c-2074-44b6-9bd8-3500b416e91c}.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

universal_.exe (PID: 6844 cmdline: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe MD5: DF016ABE8BFE2653C1DCA38309260358)

universal_.exe (PID: 2128 cmdline: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe MD5: DF016ABE8BFE2653C1DCA38309260358)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Orcus RAT	Orcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more. The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository. In addition to that, users can also execute C# and VB.net code on the remote machine in real-time.	No Attribution	http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/ https://any.run/cybersecurity-blog/orcus-rat-malware-analysis/ https://asec.ahnlab.com/en/45462/ https://assets.virustotal.com/reports/2021trends.pdf https://blog.checkpoint.com/2019/02/27/protecting-against-winrar-vulnerabilities/	https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat

Name	Description	Attribution	Blogpost URLs	Link
SUGARDUMP	According to Mandiant, SUGARDUMP is a credential harvesting utility, capable of password collection from Chromium-based browsers. There are also versions to exfiltrate data via SMTP and HTTP.	No Attribution	https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping	https://malpedia.caad.fkie.fraunhofer.de/details/win.sugardump

Malware Configuration

Threatname: OrcusRAT

{"AutostartBuilderProperty": {"AutostartMethod": "Disable", "TaskSchedulerTaskName": "sudik", "TaskHighestPrivileges": "true", "AutoSteal": "true", "Inject": "true", "RegistryHiddenStart": "true", "RegistryKeyName": "Sudik", "TryAllAutostartMethodsOnFail": "true"}, "ChangeAssemblyInformationBuilderProperty": {"ChangeAssemblyInformation": "false", "AssemblyTitle": null, "AssemblyDescription": null, "AssemblyCompanyName": null, "AssemblyProductName": null, "AssemblyCopyright": null, "AssemblyTrademarks": null, "AssemblyProductVersion": "1.0.0.0", "AssemblyFileVersion": "1.0.0.0"}, "ChangeCreationDateBuilderProperty": {"IsEnabled": "false", "NewCreationDate": "2016-11-05T21:17:40"}, "ChangeIconBuilderProperty": {"ChangeIcon": "false", "IconPath": null}, "ClientTagBuilderProperty": {"ClientTag": "Wave"}, "ConnectionBuilderProperty": {"IpAddresses": [{"Ip": "15288.client.sudorat.top", "Port": "15288"}, {"Ip": "15288.client.sudorat.ru", "Port": "15288"}, {"Ip": "31.44.184.52", "Port": "15288"}]}, "DataFolderBuilderProperty": {"Path": "%appdata%\\securedatalifeasync\\"}, "DefaultPrivilegesBuilderProperty": {"RequireAdministratorRights": "true"}, "DisableInstallationPromptBuilderProperty": {"IsDisabled": "true"}, "FrameworkVersionBuilderProperty": {"FrameworkVersion": "NET35"}, "HideFileBuilderProperty": {"HideFile": "true"}, "InstallationLocationBuilderProperty": {"Path": "%appdata%\\securedatalifeasync\\universal_.exe"}, "InstallBuilderProperty": {"Install": "true"}, "KeyloggerBuilderProperty": {"IsEnabled": "false"}, "MutexBuilderProperty": {"Mutex": "sudo_76v3ne68zd8b3j6xeaptqbdkmamvwu08"}, "ProxyBuilderProperty": {"ProxyOption": "None", "ProxyAddress": null, "ProxyPort": "1080", "ProxyType": "2"}, "ReconnectDelayProperty": {"Delay": "10000"}, "RequireAdministratorPrivilegesInstallerBuilderProperty": {"RequireAdministratorPrivileges": "true"}, "RespawnTaskBuilderProperty": {"IsEnabled": "true", "TaskName": "protectjssecure"}, "ServiceBuilderProperty": {"Install": "false"}, "SetRunProgramAsAdminFlagBuilderProperty": {"SetFlag": "true"}, "WatchdogBuilderProperty": {"IsEnabled": "false", "Name": "aga.exe", "WatchdogLocation": "AppData", "PreventFileDeletion": "false"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Wave.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Wave.exe	JoeSecurity_OrcusRat	Yara detected Orcus RAT	J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
Wave.exe	RAT_Orcus	unknown	J from THL <j@techhelplist.com> with thx to MalwareHunterTeam	0x2dc4a7:$text01: Orcus.CommandManagement 0x2c91d6:$text02: Orcus.Commands. 0x2ca141:$text02: Orcus.Commands. 0x2cab44:$text02: Orcus.Commands. 0x2cac77:$text02: Orcus.Commands. 0x2cbcd3:$text02: Orcus.Commands. 0x2cbd03:$text02: Orcus.Commands. 0x2cbd31:$text02: Orcus.Commands. 0x2cedd0:$text02: Orcus.Commands. 0x2cefd2:$text02: Orcus.Commands. 0x2cfe5a:$text02: Orcus.Commands. 0x2d0a12:$text02: Orcus.Commands. 0x2d10bd:$text02: Orcus.Commands. 0x2d1158:$text02: Orcus.Commands. 0x2d1294:$text02: Orcus.Commands. 0x2d1d6b:$text02: Orcus.Commands. 0x2d1e31:$text02: Orcus.Commands. 0x2d1e6d:$text02: Orcus.Commands. 0x2d1ead:$text02: Orcus.Commands. 0x2d20cc:$text02: Orcus.Commands. 0x2d2b0c:$text02: Orcus.Commands.
Wave.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2ec728:$f1: FileZilla\recentservers.xml 0x2ec25c:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ecab8:$b1: Chrome\User Data\ 0x2ecb24:$b1: Chrome\User Data\ 0x2ecbd4:$b2: Mozilla\Firefox\Profiles 0x2ec674:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2f579f:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ec422:$b4: Opera Software\Opera Stable\Login Data 0x2ec150:$b5: YandexBrowser\User Data\ 0x2ec1bc:$b5: YandexBrowser\User Data\ 0x2ecb6c:$s1: key3.db 0x2ecc96:$s4: logins.json 0x2ebcd4:$a1: username_value 0x2ebcf2:$a2: password_value 0x2d0710:$a3: encryptedUsername 0x2ecce2:$a3: encryptedUsername 0x2ce9da:$a4: encryptedPassword 0x2ecd06:$a4: encryptedPassword

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	JoeSecurity_OrcusRat	Yara detected Orcus RAT	J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	RAT_Orcus	unknown	J from THL <j@techhelplist.com> with thx to MalwareHunterTeam	0x2dc4a7:$text01: Orcus.CommandManagement 0x2c91d6:$text02: Orcus.Commands. 0x2ca141:$text02: Orcus.Commands. 0x2cab44:$text02: Orcus.Commands. 0x2cac77:$text02: Orcus.Commands. 0x2cbcd3:$text02: Orcus.Commands. 0x2cbd03:$text02: Orcus.Commands. 0x2cbd31:$text02: Orcus.Commands. 0x2cedd0:$text02: Orcus.Commands. 0x2cefd2:$text02: Orcus.Commands. 0x2cfe5a:$text02: Orcus.Commands. 0x2d0a12:$text02: Orcus.Commands. 0x2d10bd:$text02: Orcus.Commands. 0x2d1158:$text02: Orcus.Commands. 0x2d1294:$text02: Orcus.Commands. 0x2d1d6b:$text02: Orcus.Commands. 0x2d1e31:$text02: Orcus.Commands. 0x2d1e6d:$text02: Orcus.Commands. 0x2d1ead:$text02: Orcus.Commands. 0x2d20cc:$text02: Orcus.Commands. 0x2d2b0c:$text02: Orcus.Commands.
C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2ec728:$f1: FileZilla\recentservers.xml 0x2ec25c:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ecab8:$b1: Chrome\User Data\ 0x2ecb24:$b1: Chrome\User Data\ 0x2ecbd4:$b2: Mozilla\Firefox\Profiles 0x2ec674:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2f579f:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ec422:$b4: Opera Software\Opera Stable\Login Data 0x2ec150:$b5: YandexBrowser\User Data\ 0x2ec1bc:$b5: YandexBrowser\User Data\ 0x2ecb6c:$s1: key3.db 0x2ecc96:$s4: logins.json 0x2ebcd4:$a1: username_value 0x2ebcf2:$a2: password_value 0x2d0710:$a3: encryptedUsername 0x2ecce2:$a3: encryptedUsername 0x2ce9da:$a4: encryptedPassword 0x2ecd06:$a4: encryptedPassword

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2388704865.00000000077A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_SugarDump	Yara detected SugarDump	Joe Security
00000003.00000002.2388704865.00000000077A0000.00000004.08000000.00040000.00000000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x15bc:$op1: 04 1E FE 02 04 16 FE 01 60 0x14e0:$op2: 00 17 03 1F 20 17 19 15 28 0x1f42:$op3: 00 04 03 69 91 1B 40 0x2792:$op3: 00 04 03 69 91 1B 40
00000000.00000000.1660970759.0000000000712000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_OrcusRat	Yara detected Orcus RAT	J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
00000000.00000000.1660970759.0000000000712000.00000002.00000001.01000000.00000003.sdmp	RAT_Orcus	unknown	J from THL <j@techhelplist.com> with thx to MalwareHunterTeam	0x2dc2a7:$text01: Orcus.CommandManagement 0x2c8fd6:$text02: Orcus.Commands. 0x2c9f41:$text02: Orcus.Commands. 0x2ca944:$text02: Orcus.Commands. 0x2caa77:$text02: Orcus.Commands. 0x2cbad3:$text02: Orcus.Commands. 0x2cbb03:$text02: Orcus.Commands. 0x2cbb31:$text02: Orcus.Commands. 0x2cebd0:$text02: Orcus.Commands. 0x2cedd2:$text02: Orcus.Commands. 0x2cfc5a:$text02: Orcus.Commands. 0x2d0812:$text02: Orcus.Commands. 0x2d0ebd:$text02: Orcus.Commands. 0x2d0f58:$text02: Orcus.Commands. 0x2d1094:$text02: Orcus.Commands. 0x2d1b6b:$text02: Orcus.Commands. 0x2d1c31:$text02: Orcus.Commands. 0x2d1c6d:$text02: Orcus.Commands. 0x2d1cad:$text02: Orcus.Commands. 0x2d1ecc:$text02: Orcus.Commands. 0x2d290c:$text02: Orcus.Commands.
00000001.00000002.1682970469.0000000003F69000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_OrcusRat	Yara detected Orcus RAT	J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
00000001.00000002.1682970469.0000000003F69000.00000004.00000800.00020000.00000000.sdmp	RAT_Orcus	unknown	J from THL <j@techhelplist.com> with thx to MalwareHunterTeam	0x2dc577:$text01: Orcus.CommandManagement 0x5d9597:$text01: Orcus.CommandManagement 0x2c92a6:$text02: Orcus.Commands. 0x2ca211:$text02: Orcus.Commands. 0x2cac14:$text02: Orcus.Commands. 0x2cad47:$text02: Orcus.Commands. 0x2cbda3:$text02: Orcus.Commands. 0x2cbdd3:$text02: Orcus.Commands. 0x2cbe01:$text02: Orcus.Commands. 0x2ceea0:$text02: Orcus.Commands. 0x2cf0a2:$text02: Orcus.Commands. 0x2cff2a:$text02: Orcus.Commands. 0x2d0ae2:$text02: Orcus.Commands. 0x2d118d:$text02: Orcus.Commands. 0x2d1228:$text02: Orcus.Commands. 0x2d1364:$text02: Orcus.Commands. 0x2d1e3b:$text02: Orcus.Commands. 0x2d1f01:$text02: Orcus.Commands. 0x2d1f3d:$text02: Orcus.Commands. 0x2d1f7d:$text02: Orcus.Commands. 0x2d219c:$text02: Orcus.Commands.
Process Memory Space: universal_.exe PID: 6696	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MSBuild.exe PID: 6868	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 6868	JoeSecurity_SugarDump	Yara detected SugarDump	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.MSBuild.exe.77a0000.6.raw.unpack	JoeSecurity_SugarDump	Yara detected SugarDump	Joe Security
3.2.MSBuild.exe.77a0000.6.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x15bc:$op1: 04 1E FE 02 04 16 FE 01 60 0x14e0:$op2: 00 17 03 1F 20 17 19 15 28 0x1f42:$op3: 00 04 03 69 91 1B 40 0x2792:$op3: 00 04 03 69 91 1B 40
3.2.MSBuild.exe.77a0000.6.unpack	JoeSecurity_SugarDump	Yara detected SugarDump	Joe Security
0.0.Wave.exe.710000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.Wave.exe.710000.0.unpack	JoeSecurity_OrcusRat	Yara detected Orcus RAT	J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
0.0.Wave.exe.710000.0.unpack	RAT_Orcus	unknown	J from THL <j@techhelplist.com> with thx to MalwareHunterTeam	0x2dc4a7:$text01: Orcus.CommandManagement 0x2c91d6:$text02: Orcus.Commands. 0x2ca141:$text02: Orcus.Commands. 0x2cab44:$text02: Orcus.Commands. 0x2cac77:$text02: Orcus.Commands. 0x2cbcd3:$text02: Orcus.Commands. 0x2cbd03:$text02: Orcus.Commands. 0x2cbd31:$text02: Orcus.Commands. 0x2cedd0:$text02: Orcus.Commands. 0x2cefd2:$text02: Orcus.Commands. 0x2cfe5a:$text02: Orcus.Commands. 0x2d0a12:$text02: Orcus.Commands. 0x2d10bd:$text02: Orcus.Commands. 0x2d1158:$text02: Orcus.Commands. 0x2d1294:$text02: Orcus.Commands. 0x2d1d6b:$text02: Orcus.Commands. 0x2d1e31:$text02: Orcus.Commands. 0x2d1e6d:$text02: Orcus.Commands. 0x2d1ead:$text02: Orcus.Commands. 0x2d20cc:$text02: Orcus.Commands. 0x2d2b0c:$text02: Orcus.Commands.
0.0.Wave.exe.710000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2ec728:$f1: FileZilla\recentservers.xml 0x2ec25c:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ecab8:$b1: Chrome\User Data\ 0x2ecb24:$b1: Chrome\User Data\ 0x2ecbd4:$b2: Mozilla\Firefox\Profiles 0x2ec674:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2f579f:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ec422:$b4: Opera Software\Opera Stable\Login Data 0x2ec150:$b5: YandexBrowser\User Data\ 0x2ec1bc:$b5: YandexBrowser\User Data\ 0x2ecb6c:$s1: key3.db 0x2ecc96:$s4: logins.json 0x2ebcd4:$a1: username_value 0x2ebcf2:$a2: password_value 0x2d0710:$a3: encryptedUsername 0x2ecce2:$a3: encryptedUsername 0x2ce9da:$a4: encryptedPassword 0x2ecd06:$a4: encryptedPassword
1.2.universal_.exe.3f690d0.7.unpack	JoeSecurity_OrcusRat	Yara detected Orcus RAT	J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
1.2.universal_.exe.3f690d0.7.unpack	RAT_Orcus	unknown	J from THL <j@techhelplist.com> with thx to MalwareHunterTeam	0x2da6a7:$text01: Orcus.CommandManagement 0x2c73d6:$text02: Orcus.Commands. 0x2c8341:$text02: Orcus.Commands. 0x2c8d44:$text02: Orcus.Commands. 0x2c8e77:$text02: Orcus.Commands. 0x2c9ed3:$text02: Orcus.Commands. 0x2c9f03:$text02: Orcus.Commands. 0x2c9f31:$text02: Orcus.Commands. 0x2ccfd0:$text02: Orcus.Commands. 0x2cd1d2:$text02: Orcus.Commands. 0x2ce05a:$text02: Orcus.Commands. 0x2cec12:$text02: Orcus.Commands. 0x2cf2bd:$text02: Orcus.Commands. 0x2cf358:$text02: Orcus.Commands. 0x2cf494:$text02: Orcus.Commands. 0x2cff6b:$text02: Orcus.Commands. 0x2d0031:$text02: Orcus.Commands. 0x2d006d:$text02: Orcus.Commands. 0x2d00ad:$text02: Orcus.Commands. 0x2d02cc:$text02: Orcus.Commands. 0x2d0d0c:$text02: Orcus.Commands.
1.2.universal_.exe.3f690d0.7.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2ea928:$f1: FileZilla\recentservers.xml 0x2ea45c:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2eacb8:$b1: Chrome\User Data\ 0x2ead24:$b1: Chrome\User Data\ 0x2eadd4:$b2: Mozilla\Firefox\Profiles 0x2ea874:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2f399f:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ea622:$b4: Opera Software\Opera Stable\Login Data 0x2ea350:$b5: YandexBrowser\User Data\ 0x2ea3bc:$b5: YandexBrowser\User Data\ 0x2ead6c:$s1: key3.db 0x2eae96:$s4: logins.json 0x2e9ed4:$a1: username_value 0x2e9ef2:$a2: password_value 0x2ce910:$a3: encryptedUsername 0x2eaee2:$a3: encryptedUsername 0x2ccbda:$a4: encryptedPassword 0x2eaf06:$a4: encryptedPassword
1.2.universal_.exe.3f690d0.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.universal_.exe.3f690d0.7.raw.unpack	JoeSecurity_OrcusRat	Yara detected Orcus RAT	J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
1.2.universal_.exe.3f690d0.7.raw.unpack	RAT_Orcus	unknown	J from THL <j@techhelplist.com> with thx to MalwareHunterTeam	0x2dc4a7:$text01: Orcus.CommandManagement 0x5d94c7:$text01: Orcus.CommandManagement 0x2c91d6:$text02: Orcus.Commands. 0x2ca141:$text02: Orcus.Commands. 0x2cab44:$text02: Orcus.Commands. 0x2cac77:$text02: Orcus.Commands. 0x2cbcd3:$text02: Orcus.Commands. 0x2cbd03:$text02: Orcus.Commands. 0x2cbd31:$text02: Orcus.Commands. 0x2cedd0:$text02: Orcus.Commands. 0x2cefd2:$text02: Orcus.Commands. 0x2cfe5a:$text02: Orcus.Commands. 0x2d0a12:$text02: Orcus.Commands. 0x2d10bd:$text02: Orcus.Commands. 0x2d1158:$text02: Orcus.Commands. 0x2d1294:$text02: Orcus.Commands. 0x2d1d6b:$text02: Orcus.Commands. 0x2d1e31:$text02: Orcus.Commands. 0x2d1e6d:$text02: Orcus.Commands. 0x2d1ead:$text02: Orcus.Commands. 0x2d20cc:$text02: Orcus.Commands.
1.2.universal_.exe.3f690d0.7.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2ec728:$f1: FileZilla\recentservers.xml 0x5e9748:$f1: FileZilla\recentservers.xml 0x2ec25c:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x5e927c:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ecab8:$b1: Chrome\User Data\ 0x2ecb24:$b1: Chrome\User Data\ 0x5e9ad8:$b1: Chrome\User Data\ 0x5e9b44:$b1: Chrome\User Data\ 0x2ecbd4:$b2: Mozilla\Firefox\Profiles 0x5e9bf4:$b2: Mozilla\Firefox\Profiles 0x2ec674:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2f579f:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x5e9694:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x5f27bf:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ec422:$b4: Opera Software\Opera Stable\Login Data 0x5e9442:$b4: Opera Software\Opera Stable\Login Data 0x2ec150:$b5: YandexBrowser\User Data\ 0x2ec1bc:$b5: YandexBrowser\User Data\ 0x5e9170:$b5: YandexBrowser\User Data\ 0x5e91dc:$b5: YandexBrowser\User Data\ 0x2ecb6c:$s1: key3.db
Click to see the 9 entries

Suricata Signatures

ETPRO MALWARE Observed Possible Malicious SSL Cert (AsyncRAT) - Source IP: 185.37.62.158 - Destination IP: 192.168.2.4

Timestamp:	2024-07-28T19:32:01.337927+0200
SID:	2845590
Source Port:	15288
Destination Port:	49731
Protocol:	TCP
Classtype:	Domain Observed Used for C2 Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.68.123.157 - Destination IP: 192.168.2.4

Timestamp:	2024-07-28T19:32:57.062363+0200
SID:	2022930
Source Port:	443
Destination Port:	49764
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.68.123.157 - Destination IP: 192.168.2.4

Timestamp:	2024-07-28T19:32:18.451658+0200
SID:	2022930
Source Port:	443
Destination Port:	49740
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Wave.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe

Avira: detection malicious, Label: HEUR/AGEN.1309946

Found malware configuration

Source: Wave.exe

Malware Configuration Extractor: OrcusRAT {"AutostartBuilderProperty": {"AutostartMethod": "Disable", "TaskSchedulerTaskName": "sudik", "TaskHighestPrivileges": "true", "AutoSteal": "true", "Inject": "true", "RegistryHiddenStart": "true", "RegistryKeyName": "Sudik", "TryAllAutostartMethodsOnFail": "true"}, "ChangeAssemblyInformationBuilderProperty": {"ChangeAssemblyInformation": "false", "AssemblyTitle": null, "AssemblyDescription": null, "AssemblyCompanyName": null, "AssemblyProductName": null, "AssemblyCopyright": null, "AssemblyTrademarks": null, "AssemblyProductVersion": "1.0.0.0", "AssemblyFileVersion": "1.0.0.0"}, "ChangeCreationDateBuilderProperty": {"IsEnabled": "false", "NewCreationDate": "2016-11-05T21:17:40"}, "ChangeIconBuilderProperty": {"ChangeIcon": "false", "IconPath": null}, "ClientTagBuilderProperty": {"ClientTag": "Wave"}, "ConnectionBuilderProperty": {"IpAddresses": [{"Ip": "15288.client.sudorat.top", "Port": "15288"}, {"Ip": "15288.client.sudorat.ru", "Port": "15288"}, {"Ip": "31.44.184.52", "Port": "15288"}]}, "DataFolderBuilderProperty": {"Path": "%appdata%\\securedatalifeasync\\"}, "DefaultPrivilegesBuilderProperty": {"RequireAdministratorRights": "true"}, "DisableInstallationPromptBuilderProperty": {"IsDisabled": "true"}, "FrameworkVersionBuilderProperty": {"FrameworkVersion": "NET35"}, "HideFileBuilderProperty": {"HideFile": "true"}, "InstallationLocationBuilderProperty": {"Path": "%appdata%\\securedatalifeasync\\universal_.exe"}, "InstallBuilderProperty": {"Install": "true"}, "KeyloggerBuilderProperty": {"IsEnabled": "false"}, "MutexBuilderProperty": {"Mutex": "sudo_76v3ne68zd8b3j6xeaptqbdkmamvwu08"}, "ProxyBuilderProperty": {"ProxyOption": "None", "ProxyAddress": null, "ProxyPort": "1080", "ProxyType": "2"}, "ReconnectDelayProperty": {"Delay": "10000"}, "RequireAdministratorPrivilegesInstallerBuilderProperty": {"RequireAdministratorPrivileges": "true"}, "RespawnTaskBuilderProperty": {"IsEnabled": "true", "TaskName": "protectjssecure"}, "ServiceBuilderProperty": {"Install": "false"}, "SetRunProgramAsAdminFlagBuilderProperty": {"SetFlag": "true"}, "WatchdogBuilderProperty": {"IsEnabled": "false", "Name": "aga.exe", "WatchdogLocation": "AppData", "PreventFileDeletion": "false"}}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Virustotal: Detection: 69%			Perma Link

Multi AV Scanner detection for submitted file

Source: Wave.exe	ReversingLabs: Detection: 81%
Source: Wave.exe	Virustotal: Detection: 69%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Wave.exe

Joe Sandbox ML: detected

Source: Wave.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Wave.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb\ source: MSBuild.exe, 00000003.00000002.2381687444.0000000006C4C000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: el.pdb source: MSBuild.exe, 00000003.00000002.2364319406.00000000016F9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Orcus-1.9.1-src-main\Orcus.Plugins\obj\Release\Orcus.Plugins.pdb8 source: Wave.exe, 00000000.00000002.1674096769.0000000005390000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Dokumente\GitHub\starksoft-aspen\Starksoft.Aspen\obj\Release\starksoft.aspen.pdbL source: MSBuild.exe, 00000003.00000002.2380980047.00000000061B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \Orcus-1.9.1-src-main\Orcus.StaticCommands\obj\Release\Orcus.StaticCommands.pdb source: MSBuild.exe, 00000003.00000002.2380794332.0000000006180000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: MSBuild.exe, 00000003.00000002.2381687444.0000000006C4C000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: costura.fluentcommandlineparser.pdb.zip source: Wave.exe, universal_.exe.0.dr
Source:	Binary string: orcus.plugins;costura.orcus.plugins.dll.zip;costura.orcus.plugins.pdb.zip source: Wave.exe, universal_.exe.0.dr
Source:	Binary string: costura.orcus.shared.pdb.zip source: Wave.exe, universal_.exe.0.dr
Source:	Binary string: \Orcus-1.9.1-src-main\Orcus.Shared.Utilities\obj\Release\Orcus.Shared.Utilities.pdb source: Wave.exe, 00000000.00000002.1670685146.0000000003083000.00000004.00000800.00020000.00000000.sdmp, Wave.exe, 00000000.00000002.1670685146.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, Wave.exe, 00000000.00000002.1677518819.0000000005600000.00000004.08000000.00040000.00000000.sdmp, universal_.exe, 00000001.00000002.1681076672.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1681076672.0000000002CB5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbe4 source: MSBuild.exe, 00000003.00000002.2379629169.0000000005D37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Orcus-1.9.1-src-main\Orcus.Plugins\obj\Release\Orcus.Plugins.pdb source: Wave.exe, 00000000.00000002.1674096769.0000000005390000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: o.pdb source: MSBuild.exe, 00000003.00000002.2381687444.0000000006C4C000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: costura.orcus.staticcommands.pdb.zip source: Wave.exe, universal_.exe.0.dr
Source:	Binary string: %%.pdb source: MSBuild.exe, 00000003.00000002.2381687444.0000000006C4C000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: K:\source\Chrome-Password-Recovery-master\Chrome-Password-Recovery-master\obj\Release\ChromeRecovery.pdbM source: MSBuild.exe, 00000003.00000002.2388704865.00000000077A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: directoryinfoex?costura.directoryinfoex.dll.zip?costura.directoryinfoex.pdb.zipUes.microsoft.win32.taskscheduler.resourcesucostura.es.microsoft.win32.taskscheduler.resources.dll.zip/fluentcommandlineparserOcostura.fluentcommandlineparser.dll.zipOcostura.fluentcommandlineparser.pdb.zipUfr.microsoft.win32.taskscheduler.resourcesucostura.fr.microsoft.win32.taskscheduler.resources.dll.zip/icsharpcode.sharpziplibOcostura.icsharpcode.sharpziplib.dll.zipUit.microsoft.win32.taskscheduler.resourcesucostura.it.microsoft.win32.taskscheduler.resources.dll.zip+jetbrains.annotationsKcostura.jetbrains.annotations.dll.zip source: Wave.exe, universal_.exe.0.dr
Source:	Binary string: $^q&costura.orcus.shared.utilities.pdb.zip source: Wave.exe, 00000000.00000002.1670685146.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1681076672.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000002.00000002.1731746246.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000008.00000002.2329000098.00000000029B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.shelllibrary.pdb.zip source: Wave.exe, universal_.exe.0.dr
Source:	Binary string: orcus.shared9costura.orcus.shared.dll.zip9costura.orcus.shared.pdb.zip-orcus.shared.utilitiesMcostura.orcus.shared.utilities.dll.zipMcostura.orcus.shared.utilities.pdb.zip)orcus.staticcommandsIcostura.orcus.staticcommands.dll.zipIcostura.orcus.staticcommands.pdb.zip%sharpdx.direct3d11Ecostura.sharpdx.direct3d11.dll.zip#sharpdx.direct3d9Ccostura.sharpdx.direct3d9.dll.zip source: Wave.exe, universal_.exe.0.dr
Source:	Binary string: D:\Dokumente\GitHub\starksoft-aspen\Starksoft.Aspen\obj\Release\starksoft.aspen.pdb source: MSBuild.exe, 00000003.00000002.2380980047.00000000061B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: MSBuild.exe, 00000003.00000002.2364319406.00000000016F9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: el.pdb.. source: MSBuild.exe, 00000003.00000002.2364319406.00000000016F9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $^q$costura.orcus.staticcommands.pdb.zip source: Wave.exe, 00000000.00000002.1670685146.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1681076672.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000002.00000002.1731746246.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000008.00000002.2329000098.00000000029B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: universal_.exe, 00000001.00000002.1682970469.0000000003B34000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1682970469.0000000003C3B000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1681076672.0000000002CB5000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1690727858.0000000005B40000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2373279351.000000000445C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2366733745.000000000359B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2373279351.00000000043E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.directoryinfoex.pdb.zip source: universal_.exe, 00000001.00000002.1681076672.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000002.00000002.1731746246.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000008.00000002.2329000098.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, Wave.exe, universal_.exe.0.dr
Source:	Binary string: opuswrapper7costura.opuswrapper.dll.zip7costura.opuswrapper.pdb.zip source: Wave.exe, universal_.exe.0.dr
Source:	Binary string: costura.directoryinfoex.pdb.zipxp source: Wave.exe, 00000000.00000002.1670685146.0000000002E51000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \Orcus-1.9.1-src-main\Orcus.Shared\obj\Release\Orcus.Shared.pdb source: Wave.exe, 00000000.00000002.1671238024.0000000003F03000.00000004.00000800.00020000.00000000.sdmp, Wave.exe, 00000000.00000002.1671238024.0000000003FB5000.00000004.00000800.00020000.00000000.sdmp, Wave.exe, 00000000.00000002.1677607852.0000000005610000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.opuswrapper.pdb.zip source: Wave.exe, universal_.exe.0.dr
Source:	Binary string: K:\source\Chrome-Password-Recovery-master\Chrome-Password-Recovery-master\obj\Release\ChromeRecovery.pdb source: MSBuild.exe, 00000003.00000002.2388704865.00000000077A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.orcus.shared.utilities.pdb.zip source: Wave.exe, universal_.exe.0.dr
Source:	Binary string: shelllibrary9costura.shelllibrary.dll.zip9costura.shelllibrary.pdb.zip source: Wave.exe, universal_.exe.0.dr
Source:	Binary string: costura.orcus.plugins.pdb.zip source: Wave.exe, universal_.exe.0.dr
Source:	Binary string: $^q'costura.fluentcommandlineparser.pdb.zip source: Wave.exe, 00000000.00000002.1670685146.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1681076672.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000002.00000002.1731746246.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000008.00000002.2329000098.00000000029B1000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1

Yara detected Generic Downloader

Source: Yara match	File source: Wave.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Wave.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.universal_.exe.3f690d0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 185.37.62.158:15288

Source: Joe Sandbox View

ASN Name: HOSTLANDRU HOSTLANDRU

Source: global traffic

TCP traffic: 192.168.2.4:49675 -> 173.222.162.32:443

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 15288.client.sudorat.top

Source: MSBuild.exe, 00000003.00000002.2364319406.00000000016C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: MSBuild.exe, 00000003.00000002.2379629169.0000000005CE4000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.3.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/Orcus.Shared.Commands.EventLog
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/Orcus.Shared.Commands.Registry
Source: MSBuild.exe, 00000003.00000002.2366733745.000000000363F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mLR
Source: MSBuild.exe, 00000003.00000002.2382690824.0000000007111000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mic
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: Wave.exe, 00000000.00000002.1670685146.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1681076672.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000002.00000002.1731746246.0000000002EC9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000008.00000002.2329000098.00000000029FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault$
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: Wave.exe, 00000000.00000002.1670685146.0000000003083000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1681076672.0000000002CB5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Wave.exe, 00000000.00000002.1670685146.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1681076672.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000002.00000002.1731746246.0000000002EC9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000008.00000002.2329000098.0000000002BBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/CreateSubKey
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/CreateSubKeyResponse
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/CreateValue
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/CreateValueResponse
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/DeleteFile
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/DeleteFileResponse
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/DeleteSubKey
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/DeleteSubKeyResponse
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/DeleteValue
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/DeleteValueResponse
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/GetPath
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/GetPathResponse
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/GetRegistrySubKeys
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/GetRegistrySubKeysResponse
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/GetRegistryValues
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/GetRegistryValuesResponse
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/GetSecurityEventLog
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/GetSecurityEventLogResponse
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/IsAlive
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/IsAliveResponse
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/StartProcess
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/StartProcessResponse
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/WriteFile
Source: MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/WriteFileResponse
Source: Wave.exe, universal_.exe.0.dr	String found in binary or memory: https://api.ipify.org/I(.
Source: MSBuild.exe, 00000003.00000002.2390146914.000000000856C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
Source: universal_.exe, 00000001.00000002.1682970469.0000000003B34000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1682970469.0000000003C3B000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1681076672.0000000002CB5000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1690727858.0000000005B40000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2373279351.000000000445C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2366733745.000000000359B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2373279351.00000000043E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://taskscheduler.codeplex.com/
Source: universal_.exe, 00000001.00000002.1682970469.0000000003B34000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1682970469.0000000003C3B000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1681076672.0000000002CB5000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1690727858.0000000005B40000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2373279351.000000000445C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2366733745.000000000359B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2373279351.00000000043E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://taskscheduler.codeplex.com/F

Source: unknown

Network traffic detected: HTTP traffic on port 49675 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: Wave.exe, type: SAMPLE	Matched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
Source: Wave.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.2.MSBuild.exe.77a0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.0.Wave.exe.710000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
Source: 0.0.Wave.exe.710000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.2.universal_.exe.3f690d0.7.unpack, type: UNPACKEDPE	Matched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
Source: 1.2.universal_.exe.3f690d0.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.2.universal_.exe.3f690d0.7.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
Source: 1.2.universal_.exe.3f690d0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000003.00000002.2388704865.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000000.00000000.1660970759.0000000000712000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
Source: 00000001.00000002.1682970469.0000000003F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe, type: DROPPED	Matched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe, type: DROPPED	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen

Yara detected Orcus RAT

Source: Yara match	File source: Wave.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Wave.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.universal_.exe.3f690d0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.universal_.exe.3f690d0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1660970759.0000000000712000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1682970469.0000000003F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe, type: DROPPED

.NET source code contains very large strings

Source: Wave.exe, SettingsData.cs

Long String: Length: 14572

Source: C:\Users\user\Desktop\Wave.exe	Code function: 0_2_013A8D40	0_2_013A8D40
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Code function: 1_2_02A087F0	1_2_02A087F0
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Code function: 1_2_02A0ED90	1_2_02A0ED90
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Code function: 1_2_05509EE0	1_2_05509EE0
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Code function: 1_2_0550A6EF	1_2_0550A6EF
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Code function: 2_2_02CD8D40	2_2_02CD8D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_01669180	3_2_01669180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_05911688	3_2_05911688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_059169C8	3_2_059169C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_05911679	3_2_05911679
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_05915B78	3_2_05915B78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_05917A98	3_2_05917A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_06E382B9	3_2_06E382B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_06E32B08	3_2_06E32B08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_06E3275C	3_2_06E3275C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_06E33F7F	3_2_06E33F7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_06E30F34	3_2_06E30F34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_072E0710	3_2_072E0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_072EE2F8	3_2_072EE2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_072E0FE0	3_2_072E0FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_072E03C8	3_2_072E03C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_073D3FC8	3_2_073D3FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_073D5A40	3_2_073D5A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_073D71F0	3_2_073D71F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_07402700	3_2_07402700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_074006B8	3_2_074006B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_074022C0	3_2_074022C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_07407218	3_2_07407218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0740B818	3_2_0740B818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_07402B28	3_2_07402B28
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Code function: 8_2_00FF87F0	8_2_00FF87F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: String function: 059136E0 appears 114 times

Source: Wave.exe, 00000000.00000000.1661348029.0000000000A0A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename. vs Wave.exe
Source: Wave.exe, 00000000.00000002.1670685146.0000000003083000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOrcus.Shared.Utilities.dllN vs Wave.exe
Source: Wave.exe, 00000000.00000002.1670685146.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOrcus.Shared.Utilities.dllN vs Wave.exe
Source: Wave.exe, 00000000.00000002.1674096769.0000000005390000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameOrcus.Plugins.dll< vs Wave.exe
Source: Wave.exe, 00000000.00000002.1669661864.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Wave.exe
Source: Wave.exe, 00000000.00000002.1671238024.0000000003F03000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOrcus.Shared.dllB vs Wave.exe
Source: Wave.exe, 00000000.00000002.1671238024.0000000003FB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOrcus.Shared.dllB vs Wave.exe
Source: Wave.exe, 00000000.00000002.1677607852.0000000005610000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameOrcus.Shared.dllB vs Wave.exe
Source: Wave.exe, 00000000.00000002.1677518819.0000000005600000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameOrcus.Shared.Utilities.dllN vs Wave.exe
Source: Wave.exe	Binary or memory string: OriginalFilename. vs Wave.exe

Source: Wave.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Wave.exe, type: SAMPLE	Matched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
Source: Wave.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.2.MSBuild.exe.77a0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.Wave.exe.710000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
Source: 0.0.Wave.exe.710000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.2.universal_.exe.3f690d0.7.unpack, type: UNPACKEDPE	Matched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
Source: 1.2.universal_.exe.3f690d0.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.2.universal_.exe.3f690d0.7.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
Source: 1.2.universal_.exe.3f690d0.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000003.00000002.2388704865.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000000.1660970759.0000000000712000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
Source: 00000001.00000002.1682970469.0000000003F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe, type: DROPPED	Matched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers

Source: Wave.exe, RespawnTask.cs	Task registration methods: 'RegisterRespawnTask'
Source: 0.2.Wave.exe.306ed6c.1.raw.unpack, CursorStreamCodec.cs	Task registration methods: 'CreateModifierTask'
Source: 0.2.Wave.exe.5600000.6.raw.unpack, CursorStreamCodec.cs	Task registration methods: 'CreateModifierTask'
Source: 0.2.Wave.exe.3093234.0.raw.unpack, CursorStreamCodec.cs	Task registration methods: 'CreateModifierTask'
Source: 0.2.Wave.exe.308721c.2.raw.unpack, CursorStreamCodec.cs	Task registration methods: 'CreateModifierTask'

Source: Wave.exe, SettingsData.cs	Base64 encoded string: 'YRqG4yHhb2rDi4erJXQn2C+LlWBTn5jUufQZOt6OTiRoxEsM5dW9qf41B8yOoR+MD+9NE8XwemyOW1SGFMczJ6v49OaIoGjrV2KQm3qlpSxLp7j2txlUHruMxxt28lrlEvxV2Ojy9l7ufN/MinSHZX/G1e9wQhT37ovJdvohXK4GCSt/397SHaSHZhDBWkygcyxMqoTmW4hVQDp/6eIvPFHRUsPuAQvsB7mpEJcj03FovCpkfh+TxYM7GgO+m+5J6/DJy+KKMmSVVI+R1N+CUWFO52Fr6NzwwDTTUaPMtZ8sWGx8WW5tH1RKUiHuwneupGmmgBu12Z17RmFrtU35mwT7No5jbrItYrrmp8LwUosY0/4GbXqJR++dFNFldKR+lv2/AfCx+Kxq2OVNEvqXLKp9tbgHBK6UJRgl8wQdUMr5q0GRh001oY5GwGODBMDeYqx+kEsHF34f8Q38h1QnUF+9O0XIfY4OuiNvkLhjzG1CtbpmfKd/qpMnEWSZB5hUoBTDAVO6gYOJklisScxbNWQZyaO4GIxj1fyM3N6g3KqhRHcT/HuoHTkWNqxOo/+Ysu5U0UcQyp+jmhzNCU6OMCkY+IMJ0/Kl4VRHSdCvxht5lMEOHNoQmySLp1PIV0ENqNxwe78EfsB2ZVN+EqlM8ZfGu+4W95Vis9uGULJ4zllNXRP1oghq7oZ/t0UNovyNtjbgt24sO6j0t7+4oC52XffzNhrmoA/UFWnBvjcStubz5tbh8TCGagBaOUG/ww74vchuV4z+s5xBrOOG2derpEFDL2MRUMq2rF6hy8pu2I0yVQ50+fmcQGrfWiGbiOHRoolVOH2qNo5ZtRb9uNcNkEa//sQwAT/ovwssfy8LKqw0WCulXwYsFpubGuafUArGOEtZX6jTisLe0Ek+EQ1EDMgnIZD0Lcl8K44uszM1RH4E7EoGZVJDGz9KEYq5y2AFqMFFgPtO8LghB03qCfJ0MsXOyeG3s5LpKqF48O4p88XmVzct2dg4l/Ej4UzUkJ4HPmoOblihhY72Nj9x0nYNZ5igqq7pltFmG13nQWy+M/qD/wFn3S1otnXSeT0AodEkqD1iTMmAh5VVndNvtMT1tT6DRf1PXHEsjO949dWs/OjDtE7u7toWEZnnkZmDQf2W+V0nxCXS7+B51wskSh9HyS5Ux9kYk7D/NmGF2dm3mocoU7QwZ8ow3l+HkPUFaQMvMEhBG+DAG7sfv5XHaT3THXMfWS3SZKRzrrhM+M0zIKXLsuN2elQKtzlmxIfPpeGPDa702Me+0sRtviRxpq3mEIi8a+hy5gwZrM9cxjj84xGDxy8zLk46EvaeroKbq7gobvggZveBx79+88VjroK083iZWHAVWwBvlksWycW7QwkviADXYS4QX4o1EDifAlz/cmAy8FkQgLXvZplDnxa+rQbJGtrI1q6AcAdO7Plv1aMkiQ+OHLilwdiR3fsBVf6N0o7gAqLYb9pu/YAOF2qhoz8EKMIe4obqGIbRg17Lf6N9Hro6SDUj95k1cXtRDXi96dYfDAnNT9Nn+ufebmWVpJBKg95PbnenCFs8sKhTlGNmJcWmwC1acWz6iB7MX08tbeDQu9D6kasNVOUmmV457+BnWUxyLjAK/gsKVY9zdMcbgLn3V0Nfl0qTv05dRzG4h3M/RlqCYXanbusz7d7SdR1dleu9uBy3NjxkEvZorAJlAxvx0641kO8fn/Kugd05sR2mP/VfhtdxS+v4f6Y9Vgqv7iXUEIS8x8B8Ia5AsmmdFs55pu/Dk7uuVxRYVcN/GyGDpis80TTVE9p8Y3hCUNVd+5QujyUT/IJ1nMCvgjHUh9r/oygOdeGOclOVO2KdD2//HFXW1HBlH4a+HVpiztxOPYwiP2+jxkBAwTW6CXZotauOrLQOWD5k5rG/EmJwiR941ipOGF4Wos9ojn0KgtRZb1gXsYTL3KT38u9IumEjTWTOxtMUo9iLxUwPC2X2uT/8L1UEOUJUb6H1mDCBuXdlGeukx5h4JZjx5txgq7zJoUVMQTb3IdvN67ujNla+07yUEtLs1qeOSeaKiqxDsSc69iR30mT6nyErznwXuaiGlGoVtcJMlHKjn+aMzICf5ndMTzUtXcDqeu47t2rkFLyh8oknGBovbPP1rbIzC4Tj0iIZomiNjdy0J1f/2sWMhsVRv7ah5JgEKNFFICqlpx38pyBaKjGnx2r5Wq6Sy1s+W+sNrrZWsS/Iy7F72qpz/SyLdXD9YxHdId195LBFDsaPTfAi48T+eu875de5a4bCT6GiGiNg7ktgVVPY6f6rKSXWhL3Ie0EP9P6ZVieq0xaU5/kWylqIPVz7N30l3vRgbh2HwCpdem5C0jUYAh4uq6Fz8h1nUpxF3hi7VdHyFpwzbuS/wuzYqSg9SAkjlPnyQsnpPnzTi1zSb1Kxt/WoN1qJvvR7wQKdGuD7d2sKh3VyTyxRssgtNjercNdMTsTrs3+fag80zLODeiIMb0BGNfaIgaOQSU9dZ1YPHJIaXMl6Sh83+TrnAEW64JwMP+rwaQuNLO4TSpOotDHsDwVrtTBxxzD7LiG2SpNUbmUuKpYXZvr20v1Q9hLXFPSG+DVQM/MYLNsg/+OSTKBClTcC5LdWp9qaJ7YYOwTSjyd0Y2W1flPfQ5h4B8PrWF1WzCEBo7OYp/gpCJhzah0G4G/PpZYdnBY/br23MbY8i73PhhNLt0pglIYfWNikXtgrzBUTJQDDqTCQLCoCcvbORP+A+C1C2nqxMrf/ZnWNLlX6X007JRkz8ZazV6qGVkfqcw6OLnMPbSeLmbOM9vciAfCL46K2Ly+aKJjyqk6Vq/TvDf8aBBYAfoGM5nVw4aXVKLQE2zkMz3PXOdYV8AXQ8Xu6sFRK1sUuy5tuPP0BZZD6M58T4jFeHY62MYuRXWNyWbRF228+6wW3q28DRN+Msi0yEUz+9Uu8owSWVcVsSPVBS/u6S5f5wYNZuMrFwe+lV0BDTO+Mqev2qzZ
Source: 0.2.Wave.exe.5610000.7.raw.unpack, KeyDatabase.cs	Base64 encoded string: 'LLRoXV86AlBeBo3gr4j5ksNz+rUdyxTAXD7SqpWJBBkxzSUyDEiVA+O9eBOsRNGM', 'OKwgx+ENIbgtqRVdHAQDNzVAljJosuOsQvegxi9iaRp8fU2QMtC33rhaMK+0L+ie', 'gx7soik3QiZs2ND2XzdSE75IEDI3Y20JdsJgP6hZpb9H41GxM/QlnbjCKXlj5K8P', 'uuesSDgbaTSX5NoGigaHLi/gX5RCdz9spyy0H8i6QxA20VrDqnlslUpGgdejo9sy', 'Uz7Q/c4M0rYzv5dXs8JL1z8vWgB1ZUqJm6fm5+wiveEOlA0/ScCnhhio22vyEs7G', 'OGKNd3DCifhKxKHVlfNnsriucooii76f7LVzTFbES8PKlDC0IlmtpjTlZAcmnPPj', 'X0CqsAN8xg8RLjduBT4HCyNGUhRlKEajE68/lRhcQLMyQi9KO93AmyZiDmge58hD', 'KzxkwLJWqc3A5NLwo/kqQyGjOHcNEtx1UfT/uLHBuAA59oAEuOBwJF1c+OkbBjwG', 'SvAd86CrtADibJP4DQi0J/VoqtdGTL1yNDhVoSMH+tIZi6OLgd+x7QXNQuz8erFO', 'XInNAzTkeNpo24AaPlUlT+Yz9NuB/kt1x031WByMVo+d9ftF9wS7WWBwIpH2+mxz', 'Qr/7AtbODKwRvK1+Zl4qJNVNplORdKbLvldxC8vDjbUcjK86qxHPaIokWi9HosYb', 'HRcYJIwZghvv/DHAHRj81a5v0kSmAoSZ+NB1q63ICxH57QAryYkmYvYw2F5oVzaz', 'v7mj41wpeahjU+PxfULc5x6EKMqktqzLg0Vj37hXr/MV/nPnu+dlru6ErMoF3o/J', 'wIx+ssCbqA6eFjol20RLaSA2HKHvBjTJic5dLMQBPdfjE5c646aV4gVtXpbdoFCx', 'uEIWQfHpHaUjgniOrw9ATEaDCCpvRR6uSCDZPN00dwHLWb+9pZJSkLkBUAiY5y4Q', 'Y5ytkJax0ay/eI3J6J/U4SbJ7cZmvZ0bffpcQjW+rwLOGpq4AtuBRZV7M3aBYE7F', 'XD1MIMwBM17D+Tmmi9LZ+DEhg2kZpxY1SmTyqv90lM+qgF+U5q5JXh05kqO8V170', 'JQafwmk8QA9GqijIahqYL/ISzOhmcUYXiNxQ80Pv6DI/cgq8Qd0E8BlZwd7X4f4C', 'pDRUjkDFFnKMacyoXf7IGPlDfOAYSGyjyOLWzK7Nmu3Id3TGR99dEQyC3g0b1Q0U', 'KacKd1h5i1mmRhJ5AlfVDXZMX77XCvO8AecWrLg9rZflhwBuLNeS7yxeygPaTMgl', 'UnNFCa+15bwu9haUERlOlwxpDI7DGKxz0vNDda3C6hf7n0muX/2YIDdOQqf8hfO2', 'KKppwnlOWmznL/8v6Fy1zVmdtGOw1hKaKtaOcgg1u9Ig8c6N4hhLMgYcGQqYrUJN', 'TnnQJTTI6Mcmi1/X3swqam0XaXWgTTvnkOShXaOcEztHPaB8f9z3T7cZPPEkBiyD', 'SAAuLX3l/wZJ1J3V0mFWqhzDVtMA2BhL8dZ4tV3ojemJdKFZUYbEJCBG8whhCYee', 'LjLuGByUVKa6V4KrQoDlHHpAHaqYI5P35/BcR4Z7kDClpGsL0dYG7E9meDfWnRju', 'hSXzzzybSgOYwDbkh0tbGHUB5fKieNOoULCZsPfPZ1EkMf3wmXzF2XPUPDdN5FVE', 'G5LGae6g7sOouwyMyendq4hFGTe9m94Riu8msKLXxUPHXeUb5BIH1ULNfn9d3ZGz', 'sHHZnz5a+F35s0VENqJXHtlEDvHubuN36y+3NOeiaXvZ7pgC8Y84Aw2wF5n0bbt8', 'swx0nHzDyVuHHezsYZW/+rS9z9IKBnVvUIOIdaH/buVZ+quH7D/vqj7MN9Oj6D4J', '/DEeR4iP4I2G2hA9DQCekUGFbswgwn0ra9eMmFwsfQOi48wYXrhl78yieJQRuwdw', 'GW+pdpbEzDWJ6kgB+lig+R1i5HSDZYaoFLITlPVvZHsi9QyU32rEdM6OFDJvq2Vk', 'VJJ4za8d9HFKohFmSpvhdiSb44JNd5GAnTsyFX2jT+J3couTiGBfDEYiVT1jtOEn', 'WD88YgwKQ7UXIbWksOUPn5b5X+X/K+7p8jJFq4Exd5pqRo1/1dcOOUo6BXyYG6Z8', 'wl0yMQGTnLTmIcVs4TkWLVTM7YgpbwecQt3KcxN1sIuJv8eZnlbvb0n51dsXpvdn', 'hPm4vV7aw7i1Ss7hRMfs8WLRGxK8OAaAn/B1wXEEc2VqvVs+BFf6A9YGGNCK8Dxg', 'Gt3emW4XxKDllLyO7RhB2toJlr5kmtVsx1hxZ7fH11o6OhuAJvwsh/KXEzKGZPBQ', 'hTv/t6X3gx6UAxgi4wRuHp9PIZXYFIClnIz2hQYePtA9aL2HX9GTpU32Yi8RDg1x', 'pVV0CEPKllCk03vZKSfB0v2Taee5xNRkG/aHQ1wnXMEpof9qrRFEYbiBAZgXTwIO', 'ypaZWoqA/XRWYHsn1+7cJuY5YYt0cRBBWiKEg5KzhsnSZ7DAkAtLBsFBhyvH44md', 'rsu+ut+M6pTxLOeN7WwAWoNDzk65Yg0D7p1sPZvqMbFTWY5JPAh7MHoGQZkzifyh', 'XDZe0kBvd0EiI69cJlPNsKholDNzrFurqlV/mJujo4EdKRmHkdGR6F4i30fRpZjU', 'VKr2j3gn2d+CobbgXvtCKl4UdcNPBl1lePlYYoGZhYCI97i+e7oc6UoHEARAEMY1', 'puCUoUYp24GLuB8TKygEAToyvRqQL9IaHPutAEDPbF0OsniEl+TCdJh2H1nz89Rf', '/su7PIEOzM1ch1yvca4Sl3vMMfquA9RIMrIRv3I2gw7+llVbcy/xU5iiTbhGjlh8', 'PetZ5Lw

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/10@1/2

Source: C:\Users\user\Desktop\Wave.exe

File created: C:\Users\user\AppData\Roaming\securedatalifeasync

Jump to behavior

Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2288:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\sudo_76v3ne68zd8b3j6xeaptqbdkmamvwu08
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:916:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Local\Temp\{abe5374c-2074-44b6-9bd8-3500b416e91c}.bat

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{abe5374c-2074-44b6-9bd8-3500b416e91c}.bat" "

Source: Wave.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Wave.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.69%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * FROM WIN32_Processor

Source: C:\Users\user\Desktop\Wave.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Wave.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Wave.exe	ReversingLabs: Detection: 81%
Source: Wave.exe	Virustotal: Detection: 69%

Source: Wave.exe	String found in binary or memory: $this.Icon-InstallationPromptForm
Source: Wave.exe	String found in binary or memory: --install
Source: Wave.exe	String found in binary or memory: /keepAlive?/launchSelfAndExit "{0}" {1}{2}

Source: C:\Users\user\Desktop\Wave.exe

File read: C:\Users\user\Desktop\Wave.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Wave.exe "C:\Users\user\Desktop\Wave.exe"
Source: C:\Users\user\Desktop\Wave.exe	Process created: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe "C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{abe5374c-2074-44b6-9bd8-3500b416e91c}.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo j "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo j "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" del C:\Users\user\AppData\Local\Temp\{abe5374c-2074-44b6-9bd8-3500b416e91c}.bat"
Source: C:\Users\user\Desktop\Wave.exe	Process created: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe "C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{abe5374c-2074-44b6-9bd8-3500b416e91c}.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo j "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo j "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" del C:\Users\user\AppData\Local\Temp\{abe5374c-2074-44b6-9bd8-3500b416e91c}.bat"	Jump to behavior

Source: C:\Users\user\Desktop\Wave.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Users\user\Desktop\Wave.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Wave.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Wave.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Wave.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Wave.exe

Static file information: File size 3133952 > 1048576

Source: Wave.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2f7000

Source: Wave.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb\ source: MSBuild.exe, 00000003.00000002.2381687444.0000000006C4C000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: el.pdb source: MSBuild.exe, 00000003.00000002.2364319406.00000000016F9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Orcus-1.9.1-src-main\Orcus.Plugins\obj\Release\Orcus.Plugins.pdb8 source: Wave.exe, 00000000.00000002.1674096769.0000000005390000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Dokumente\GitHub\starksoft-aspen\Starksoft.Aspen\obj\Release\starksoft.aspen.pdbL source: MSBuild.exe, 00000003.00000002.2380980047.00000000061B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \Orcus-1.9.1-src-main\Orcus.StaticCommands\obj\Release\Orcus.StaticCommands.pdb source: MSBuild.exe, 00000003.00000002.2380794332.0000000006180000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: MSBuild.exe, 00000003.00000002.2381687444.0000000006C4C000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: costura.fluentcommandlineparser.pdb.zip source: Wave.exe, universal_.exe.0.dr
Source:	Binary string: orcus.plugins;costura.orcus.plugins.dll.zip;costura.orcus.plugins.pdb.zip source: Wave.exe, universal_.exe.0.dr
Source:	Binary string: costura.orcus.shared.pdb.zip source: Wave.exe, universal_.exe.0.dr
Source:	Binary string: \Orcus-1.9.1-src-main\Orcus.Shared.Utilities\obj\Release\Orcus.Shared.Utilities.pdb source: Wave.exe, 00000000.00000002.1670685146.0000000003083000.00000004.00000800.00020000.00000000.sdmp, Wave.exe, 00000000.00000002.1670685146.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, Wave.exe, 00000000.00000002.1677518819.0000000005600000.00000004.08000000.00040000.00000000.sdmp, universal_.exe, 00000001.00000002.1681076672.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1681076672.0000000002CB5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbe4 source: MSBuild.exe, 00000003.00000002.2379629169.0000000005D37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Orcus-1.9.1-src-main\Orcus.Plugins\obj\Release\Orcus.Plugins.pdb source: Wave.exe, 00000000.00000002.1674096769.0000000005390000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: o.pdb source: MSBuild.exe, 00000003.00000002.2381687444.0000000006C4C000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: costura.orcus.staticcommands.pdb.zip source: Wave.exe, universal_.exe.0.dr
Source:	Binary string: %%.pdb source: MSBuild.exe, 00000003.00000002.2381687444.0000000006C4C000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: K:\source\Chrome-Password-Recovery-master\Chrome-Password-Recovery-master\obj\Release\ChromeRecovery.pdbM source: MSBuild.exe, 00000003.00000002.2388704865.00000000077A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: directoryinfoex?costura.directoryinfoex.dll.zip?costura.directoryinfoex.pdb.zipUes.microsoft.win32.taskscheduler.resourcesucostura.es.microsoft.win32.taskscheduler.resources.dll.zip/fluentcommandlineparserOcostura.fluentcommandlineparser.dll.zipOcostura.fluentcommandlineparser.pdb.zipUfr.microsoft.win32.taskscheduler.resourcesucostura.fr.microsoft.win32.taskscheduler.resources.dll.zip/icsharpcode.sharpziplibOcostura.icsharpcode.sharpziplib.dll.zipUit.microsoft.win32.taskscheduler.resourcesucostura.it.microsoft.win32.taskscheduler.resources.dll.zip+jetbrains.annotationsKcostura.jetbrains.annotations.dll.zip source: Wave.exe, universal_.exe.0.dr
Source:	Binary string: $^q&costura.orcus.shared.utilities.pdb.zip source: Wave.exe, 00000000.00000002.1670685146.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1681076672.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000002.00000002.1731746246.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000008.00000002.2329000098.00000000029B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.shelllibrary.pdb.zip source: Wave.exe, universal_.exe.0.dr
Source:	Binary string: orcus.shared9costura.orcus.shared.dll.zip9costura.orcus.shared.pdb.zip-orcus.shared.utilitiesMcostura.orcus.shared.utilities.dll.zipMcostura.orcus.shared.utilities.pdb.zip)orcus.staticcommandsIcostura.orcus.staticcommands.dll.zipIcostura.orcus.staticcommands.pdb.zip%sharpdx.direct3d11Ecostura.sharpdx.direct3d11.dll.zip#sharpdx.direct3d9Ccostura.sharpdx.direct3d9.dll.zip source: Wave.exe, universal_.exe.0.dr
Source:	Binary string: D:\Dokumente\GitHub\starksoft-aspen\Starksoft.Aspen\obj\Release\starksoft.aspen.pdb source: MSBuild.exe, 00000003.00000002.2380980047.00000000061B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: MSBuild.exe, 00000003.00000002.2364319406.00000000016F9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: el.pdb.. source: MSBuild.exe, 00000003.00000002.2364319406.00000000016F9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $^q$costura.orcus.staticcommands.pdb.zip source: Wave.exe, 00000000.00000002.1670685146.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1681076672.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000002.00000002.1731746246.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000008.00000002.2329000098.00000000029B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: universal_.exe, 00000001.00000002.1682970469.0000000003B34000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1682970469.0000000003C3B000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1681076672.0000000002CB5000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1690727858.0000000005B40000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2373279351.000000000445C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2366733745.000000000359B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2373279351.00000000043E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.directoryinfoex.pdb.zip source: universal_.exe, 00000001.00000002.1681076672.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000002.00000002.1731746246.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000008.00000002.2329000098.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, Wave.exe, universal_.exe.0.dr
Source:	Binary string: opuswrapper7costura.opuswrapper.dll.zip7costura.opuswrapper.pdb.zip source: Wave.exe, universal_.exe.0.dr
Source:	Binary string: costura.directoryinfoex.pdb.zipxp source: Wave.exe, 00000000.00000002.1670685146.0000000002E51000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \Orcus-1.9.1-src-main\Orcus.Shared\obj\Release\Orcus.Shared.pdb source: Wave.exe, 00000000.00000002.1671238024.0000000003F03000.00000004.00000800.00020000.00000000.sdmp, Wave.exe, 00000000.00000002.1671238024.0000000003FB5000.00000004.00000800.00020000.00000000.sdmp, Wave.exe, 00000000.00000002.1677607852.0000000005610000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.opuswrapper.pdb.zip source: Wave.exe, universal_.exe.0.dr
Source:	Binary string: K:\source\Chrome-Password-Recovery-master\Chrome-Password-Recovery-master\obj\Release\ChromeRecovery.pdb source: MSBuild.exe, 00000003.00000002.2388704865.00000000077A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.orcus.shared.utilities.pdb.zip source: Wave.exe, universal_.exe.0.dr
Source:	Binary string: shelllibrary9costura.shelllibrary.dll.zip9costura.shelllibrary.pdb.zip source: Wave.exe, universal_.exe.0.dr
Source:	Binary string: costura.orcus.plugins.pdb.zip source: Wave.exe, universal_.exe.0.dr
Source:	Binary string: $^q'costura.fluentcommandlineparser.pdb.zip source: Wave.exe, 00000000.00000002.1670685146.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1681076672.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000002.00000002.1731746246.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000008.00000002.2329000098.00000000029B1000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: Wave.exe, FileExplorerCommand.cs	.Net Code: _003C_002Ector_003Eb__13_8
Source: Wave.exe, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: Wave.exe, CodeCommand.cs	.Net Code: ProcessCommand
Source: Wave.exe, PluginLoader.cs	.Net Code: LoadPlugins System.Reflection.Assembly.Load(byte[])
Source: Wave.exe, PluginLoader.cs	.Net Code: LoadPlugin System.Reflection.Assembly.Load(byte[])
Source: Wave.exe, PluginLoader.cs	.Net Code: LoadPlugin

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_015DDF44 push eax; retf	3_2_015DDF45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_015DE8BC push eax; retf	3_2_015DE8D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0591CDF2 push es; ret	3_2_0591CE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_06E322B0 pushfd ; retf	3_2_06E322BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_06E37AB4 push dword ptr [ecx+ecx-75h]; iretd	3_2_06E37ABA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_072E9BE0 push esp; ret	3_2_072E9BE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_072EA972 push eax; retf	3_2_072EA979
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_074042D3 push ebx; ret	3_2_074042DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0740DB2A pushad ; retf	3_2_0740DB2D

Source: C:\Users\user\Desktop\Wave.exe

File created: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: universal_.exe PID: 6696, type: MEMORYSTR

Source: C:\Users\user\Desktop\Wave.exe	Memory allocated: 13A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Memory allocated: 2E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Memory allocated: 2C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Memory allocated: 29C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Memory allocated: 2A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Memory allocated: 4A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Memory allocated: 2C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Memory allocated: 2E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Memory allocated: 4E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 3130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 5130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Memory allocated: F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Memory allocated: 29B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Memory allocated: F50000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Wave.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 299875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 299748	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 299641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 299531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 299422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 299310	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 299203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 299094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 298984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 298875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 298766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 298656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 298547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 298438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 298328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 298219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 298109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 298000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 297891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 297781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 297672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 297563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 297453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 297341	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 297234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 297125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 297016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 296906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 296797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 296687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 296578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 296469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 296359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 296250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 296141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 296031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 295922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 295813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 295703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 295586	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 295484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 295375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 295266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 295156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 295047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 875			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 8924			Jump to behavior

Source: C:\Users\user\Desktop\Wave.exe TID: 6592	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe TID: 6772	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe TID: 7008	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4464	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7092	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -23980767295822402s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -299875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -299748s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -299641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -299531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -299422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -299310s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -299203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -299094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -298984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -298875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -298766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -298656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -298547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -298438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -298328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -298219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -298109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -298000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -297891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -297781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -297672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -297563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -297453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -297341s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -297234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -297125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -297016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -296906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -296797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -296687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -296578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -296469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -296359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -296250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -296141s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -296031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -295922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -295813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -295703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -295586s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -295484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -295375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -295266s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -295156s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3120	Thread sleep time: -295047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe TID: 6316	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * FROM WIN32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Wave.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 299875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 299748	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 299641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 299531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 299422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 299310	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 299203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 299094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 298984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 298875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 298766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 298656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 298547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 298438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 298328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 298219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 298109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 298000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 297891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 297781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 297672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 297563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 297453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 297341	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 297234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 297125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 297016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 296906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 296797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 296687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 296578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 296469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 296359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 296250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 296141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 296031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 295922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 295813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 295703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 295586	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 295484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 295375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 295266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 295156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 295047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: MSBuild.exe, 00000003.00000002.2379629169.0000000005D0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX:
Source: MSBuild.exe, 00000003.00000002.2382293620.00000000070D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: MSBuild.exe, 00000003.00000002.2382690824.0000000007145000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#4&224f42ef
Source: MSBuild.exe, 00000003.00000002.2382690824.000000000714D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2383572210.0000000007193000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MSBuild.exe, 00000003.00000002.2383572210.00000000072A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\Wave.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Wave.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Wave.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Wave.exe, ServerConnection.cs	Reference to suspicious API methods: LibraryLoader.Current.LoadLibrary(item.Library, _sslStream, item.Length)
Source: Wave.exe, RunPE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: Wave.exe, RunPE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
Source: Wave.exe, RunPE.cs	Reference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num2, length, 12288, 64)
Source: Wave.exe, RunPE.cs	Reference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num4, payload, bufferSize, ref bytesRead)
Source: Wave.exe, HiddenDesktopApplicationManager.cs	Reference to suspicious API methods: NativeMethods.MapVirtualKey((uint)scanCode, MapVirtualKeyMapTypes.MAPVK_VSC_TO_VK)
Source: Wave.exe, ProcessExtension.cs	Reference to suspicious API methods: NativeMethods.OpenProcessToken(pToken, desiredAccess, ref TokenHandle)

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6FA000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 700000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1045008	Jump to behavior

Source: C:\Users\user\Desktop\Wave.exe	Process created: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe "C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{abe5374c-2074-44b6-9bd8-3500b416e91c}.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo j "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo j "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" del C:\Users\user\AppData\Local\Temp\{abe5374c-2074-44b6-9bd8-3500b416e91c}.bat"	Jump to behavior

Source: Wave.exe, universal_.exe.0.dr	Binary or memory string: Shell_TrayWnd
Source: Wave.exe, universal_.exe.0.dr	Binary or memory string: ProgMan

Source: C:\Users\user\Desktop\Wave.exe	Queries volume information: C:\Users\user\Desktop\Wave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wave.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Queries volume information: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Queries volume information: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Queries volume information: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Wave.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Contains functionality to disable the Task Manager (.Net Source)

Source: Wave.exe, WindowsModules.cs

.Net Code: SetTaskManager

Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected Discord Token Stealer

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 6868, type: MEMORYSTR

Yara detected SugarDump

Source: Yara match	File source: 3.2.MSBuild.exe.77a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.77a0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2388704865.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6868, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior

Remote Access Functionality

Yara detected Discord Token Stealer

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 6868, type: MEMORYSTR

Yara detected SugarDump

Source: Yara match	File source: 3.2.MSBuild.exe.77a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.77a0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2388704865.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6868, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	21 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	312 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	11 Scheduled Task/Job	11 Scheduled Task/Job	21 Obfuscated Files or Information	Security Account Manager	121 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Scheduled Task/Job	Login Hook	Login Hook	1 Software Packing	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	41 Virtualization/Sandbox Evasion	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	312 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Wave.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.OrcusRAT
Wave.exe	69%	Virustotal		Browse
Wave.exe	100%	Avira	HEUR/AGEN.1309946
Wave.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	100%	Avira	HEUR/AGEN.1309946
C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.OrcusRAT
C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe	69%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
fp2e7a.wpc.phicdn.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.mic	0%	URL Reputation	safe
http://schemas.mic	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	0%	URL Reputation	safe
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/envelope/	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/actor/next	0%	URL Reputation	safe
http://tempuri.org/IServicePipe/GetRegistryValues	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/GetRegistryValues	1%	Virustotal		Browse
http://schemas.datacontract.org/2004/07/Orcus.Shared.Commands.EventLog	0%	Virustotal		Browse
http://tempuri.org/IServicePipe/WriteFile	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/GetPathResponse	1%	Virustotal		Browse
http://schemas.datacontract.org/2004/07/Orcus.Shared.Commands.EventLog	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/CreateSubKeyResponse	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/WriteFileResponse	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/CreateSubKey	0%	Avira URL Cloud	safe
https://api.ipify.org/I(.	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/CreateValue	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/WriteFile	2%	Virustotal		Browse
http://tempuri.org/IServicePipe/StartProcessResponse	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/CreateSubKeyResponse	1%	Virustotal		Browse
http://tempuri.org/IServicePipe/DeleteValue	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/WriteFileResponse	1%	Virustotal		Browse
http://tempuri.org/IServicePipe/GetRegistrySubKeys	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/IsAlive	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/StartProcessResponse	1%	Virustotal		Browse
http://schemas.mLR	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault$	0%	Avira URL Cloud	safe
https://api.ipify.org/I(.	0%	Virustotal		Browse
https://taskscheduler.codeplex.com/	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/DeleteValue	2%	Virustotal		Browse
http://tempuri.org/IServicePipe/CreateValue	1%	Virustotal		Browse
http://tempuri.org/IServicePipe/GetRegistrySubKeys	1%	Virustotal		Browse
http://schemas.datacontract.org/2004/07/Orcus.Shared.Commands.Registry	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/DeleteValueResponse	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/StartProcess	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault$	0%	Virustotal		Browse
https://taskscheduler.codeplex.com/	0%	Virustotal		Browse
http://tempuri.org/IServicePipe/GetSecurityEventLogResponse	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/DeleteValueResponse	1%	Virustotal		Browse
http://tempuri.org/IServicePipe/IsAlive	2%	Virustotal		Browse
https://taskscheduler.codeplex.com/F	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/StartProcess	2%	Virustotal		Browse
http://tempuri.org/IServicePipe/GetSecurityEventLogResponse	1%	Virustotal		Browse
http://tempuri.org/IServicePipe/CreateValueResponse	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/Orcus.Shared.Commands.Registry	0%	Virustotal		Browse
http://tempuri.org/IServicePipe/GetRegistryValuesResponse	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/DeleteFileResponse	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/GetPath	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/CreateSubKey	1%	Virustotal		Browse
http://tempuri.org/IServicePipe/CreateValueResponse	1%	Virustotal		Browse
http://tempuri.org/IServicePipe/IsAliveResponse	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/GetRegistrySubKeysResponse	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/DeleteSubKey	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/GetRegistryValuesResponse	1%	Virustotal		Browse
http://tempuri.org/IServicePipe/DeleteFileResponse	2%	Virustotal		Browse
http://tempuri.org/IServicePipe/DeleteSubKeyResponse	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/GetSecurityEventLog	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/IsAliveResponse	2%	Virustotal		Browse
https://taskscheduler.codeplex.com/F	0%	Virustotal		Browse
http://tempuri.org/IServicePipe/DeleteSubKey	1%	Virustotal		Browse
http://tempuri.org/IServicePipe/DeleteFile	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/GetRegistrySubKeysResponse	2%	Virustotal		Browse
http://tempuri.org/IServicePipe/GetSecurityEventLog	2%	Virustotal		Browse
http://tempuri.org/IServicePipe/GetPath	2%	Virustotal		Browse
http://tempuri.org/IServicePipe/DeleteSubKeyResponse	1%	Virustotal		Browse
http://tempuri.org/IServicePipe/DeleteFile	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
15288.client.sudorat.top	185.37.62.158	true	true		unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.mic	MSBuild.exe, 00000003.00000002.2382690824.0000000007111000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://tempuri.org/IServicePipe/GetPathResponse	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/soap/encoding/	Wave.exe, 00000000.00000002.1670685146.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1681076672.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000002.00000002.1731746246.0000000002EC9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000008.00000002.2329000098.00000000029FF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.datacontract.org/2004/07/	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/IServicePipe/GetRegistryValues	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/IServicePipe/WriteFile	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/Orcus.Shared.Commands.EventLog	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/IServicePipe/CreateSubKeyResponse	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/IServicePipe/CreateSubKey	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/IServicePipe/WriteFileResponse	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/IServicePipe/CreateValue	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.ipify.org/I(.	Wave.exe, universal_.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/IServicePipe/StartProcessResponse	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/IServicePipe/DeleteValue	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/IServicePipe/GetRegistrySubKeys	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/IServicePipe/IsAlive	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.mLR	MSBuild.exe, 00000003.00000002.2366733745.000000000363F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault$	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://taskscheduler.codeplex.com/	universal_.exe, 00000001.00000002.1682970469.0000000003B34000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1682970469.0000000003C3B000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1681076672.0000000002CB5000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1690727858.0000000005B40000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2373279351.000000000445C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2366733745.000000000359B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2373279351.00000000043E4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/Orcus.Shared.Commands.Registry	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/IServicePipe/DeleteValueResponse	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/IServicePipe/StartProcess	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/IServicePipe/GetSecurityEventLogResponse	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://taskscheduler.codeplex.com/F	universal_.exe, 00000001.00000002.1682970469.0000000003B34000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1682970469.0000000003C3B000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1681076672.0000000002CB5000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1690727858.0000000005B40000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2373279351.000000000445C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2366733745.000000000359B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2373279351.00000000043E4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/IServicePipe/CreateValueResponse	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/IServicePipe/GetRegistryValuesResponse	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	Wave.exe, 00000000.00000002.1670685146.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1681076672.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000002.00000002.1731746246.0000000002EC9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000008.00000002.2329000098.0000000002BBA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/IServicePipe/DeleteFileResponse	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/IServicePipe/GetPath	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/IServicePipe/IsAliveResponse	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/IServicePipe/GetRegistrySubKeysResponse	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Wave.exe, 00000000.00000002.1670685146.0000000003083000.00000004.00000800.00020000.00000000.sdmp, universal_.exe, 00000001.00000002.1681076672.0000000002CB5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/IServicePipe/DeleteSubKey	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/IServicePipe/DeleteSubKeyResponse	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/actor/next	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/IServicePipe/GetSecurityEventLog	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/IServicePipe/DeleteFile	MSBuild.exe, 00000003.00000002.2366733745.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.37.62.158	15288.client.sudorat.top	Russian Federation		62082	HOSTLANDRU	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1483697
Start date and time:	2024-07-28 19:31:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Wave.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@22/10@1/2
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 100% Number of executed functions: 332 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.19.126.163, 2.19.126.137, 40.68.123.157, 93.184.221.240, 52.165.164.15, 192.229.221.95
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com.delivery.microsoft.com, slscr.update.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu.azureedge.net, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, glb.cws.prod.dcat.dsp.trafficmanager.net, ocsp.edge.digicert.com, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target universal_.exe, PID 2128 because it is empty
Execution Graph export aborted for target universal_.exe, PID 6844 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:32:00	API Interceptor	1773x Sleep call for process: MSBuild.exe modified
18:31:59	Task Scheduler	Run new task: protectjssecure path: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	https://etransfer.interac.ca/ViewInBrowser.do?tokens=eNrtV9tu20YQ_ZWFGqcJYEoUJVGSC6MWKSlw2zip7T4VBbEmh_LG5C6zFzlK0b73L_rW-hv6qB_rLHWJJUuKkKBNCtSIAWf27JnZ2bMzw58rQrIR41QLOcgpy85oDpWjygXIMYtBkVDwmGWMklMeVyuH63CEgpaUqxTkSTzHMoTGIl9BD9kCL69ixjVIGuPOVKGjEzTNN1wBh5TFjMrJ_XAuqUxYekj6dMwS0uNaMA4b4AhNdIk9UZrdQE75Q-J3oShTFELqk5gtAygk4FEkJN9RPjJ0ZL2nEhdgDFxHeEQNbzQaCzrJ0VKVMDIZtQgljIwhYiriQrM0ogVD3GQlDVHKokyMBC5ca12oo1ptmT-nJEfKeXqqMa2lsmbhUdhz7U-jWvDRRsII-L6cwPflxIN_XJz3sv5xJ6-72xk_-Og7ST_07EvSuUCiUlDAURnc5FdgacNeenkWN4fWtcluNkEabqvR7XY7bc_xXK_ptr02phU3xEZpkUca8iKjGuWWIBqXrDTjCP0vMSBni2HPj9uvbp59Gw9X32TE937sJTRiPLoGmoBUe-7CZM59nAchCSh_bYCciwnNYCNwdpUWW4LsjpvNwPJ6NpGu3eXcfXgahJsXZy53rJeeNqzzvUvThuTtswt2V7SyyLCYaiZ4VCwlZNVgy9WbAiSzhiQyqpSUlsa6UNdY8mKjIyOzTRK_L22sg0xCrIdS5BfzfZdiyKqJ-Lo47R8vhPw4G-vjeiMI-l6n2fDrnh802_X6sNVt-vhn6Ae9djPoh816u-P6w0YraIStMGy4nXp_0Bg0O26nX3-cspJy9ooeZ1iAj8vSez_iLY_9swoaQ1wLenMx-QwzDRwFGuWQ2zp9ZvLpnRQkAYLFJWUyL8VGjkh4cfn84nzQanaeVcn59M9RBrbWkZ5SBg8XA5n-Np7e8ZkVbSSjpKxXqZA5kEsW34DOqcLzkyeJUIrhHy3XdVzfwZi8esvxGvWn6Or0-csX55e9s0vikB801hkFb0kGJBfaBlZQpdDb7-S1oVpioNcsTSVWJeBjMZneIUBi9EbiY8i-IhiUxFeDFGOhCOPJ9E4xSa8y3KEYGo0iHEj2JR0jBsmJhOkfpkpeIgXRwmgglCVwaDOiaazhrcPtpvtubDjnMM_JMiUDHCBKy_fh-qREhCFjphiy7d44f_oLAUVaaGofcdc_9LrkEXkS9vpPHwBmb-ZR168iaAukVOg6TSEFZibH_kSVsBwPbDPqh-aSDs0JxBlWthWGVduSYc28YMBHwQpmG-lclVammmqj_pfpf0WmErBFKx0lmFm8MK9DXhmWZaCJnW22IWfK-MZkE-J1DndDS7Xs4MV2uPTuEyqmf23HzPz2zAinKOL5h9uBM69rfLnJNCsyiFR8DYnJsAEvdlaOUpopuEeFd2F7QOXIffAiy6VyAb8o3r0CmkTzz5Yl2-p4hFDbTNb7--3tbRW_s6Sdk65wrLJ3ZEfXXCSgnITGOMrVtEESlIaqWV0yB7SDdFDY9-Qk4KSCJ6pGOcdPntKGqwYHjdl_xtjBrACcRV-71nlW2RXfajffGOItnShHC8ca5vHhqWu2UzkUf218bAxOLjhMarFVYmaNGWU5AhaxOOAs264N64ujX4_sl9yxFgee--LHg4F30HEPev5P-hrQsryyneGv9PVPmGEav1ETtdRZhIX05n0TB0a2GCpqHztQbAlhj2HtHw_h_aPXv5EIgaqSds76lPnIxRXDuvRAHNuSMWzW_bbn-42mX--4_WA4qDdag17D9YJuMMAIgmGnNQz6LjodhMFg0PGa3UF32HWbQ_zXrfzyN_jDSBM&templateCode=2&productCode=0&customBulkExternalId=003_conc_001&langCode=en	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://tinyurl.com/3kx85rdt	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://chattts-49f1.beszyrecala.workers.dev/f7864279-b25b-4ddb-9bd1-ac=	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://chattts-49f1.beszyrecala.workers.dev/10e82ab5-5320-4dc9-b54d-f8=	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://wallet-web3-metamask.gitbook.io/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://wiu74u5e2dc2tdjfkczv3alqizm4b2naa3olvchnf7eprhx3j7za.akrd.net/sin-U6TQxamNJVCzXYFwRlnA6aAG3LqI7S_I-J77T_I?err=wmr1t8osnIxYpObUP3xlDM9epCaud4oeQfGqdukd5Lxaz17jV7Bm6oyjRnsY7nMCN6gb0nti25rNA7w3M8hA0eixYuj8l15fbnQ9Lbn3VmrbGcMuErydrhjRPvSz0bkPdn0j6eDsEgsPbjt4rY4nNL1zcmpvxpDjfjVHyhgW52jPaoilCmz2W2gvvwlHkU8JJIhyxO1fnxaR4VsYs3shlxPj1b5YtsMyrGXXF2m9&dispatch=c1d2a4k9kabd9ce0c6h3	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	http://vakiif-avans.icu/vakifbank/giris/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://inbox-mygov.cfd/	Get hash	malicious	Phisher	Browse	192.229.221.95
	https://help--iometamask.gitbook.io/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://sachin-nsk.github.io/Netflix-Clone	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HOSTLANDRU	DFpUKTL6kg.exe	Get hash	malicious	DCRat	Browse	185.26.122.81
	http://mydpd.space/	Get hash	malicious	DCRat, PureLog Stealer	Browse	185.26.122.30
	HEUR-Backdoor.MSIL.LightStone.gen-6974f159cb6.exe	Get hash	malicious	DCRat	Browse	185.26.122.79
	yk2Eh24FDd.exe	Get hash	malicious	Unknown	Browse	185.26.122.81
	hT0xyYJthf.exe	Get hash	malicious	Unknown	Browse	185.26.122.81
	https://hideuri.com/EXWJgm	Get hash	malicious	Unknown	Browse	185.26.122.79
	rwDENO48jg.elf	Get hash	malicious	Mirai, Moobot	Browse	185.221.215.184
	i21878JK11.exe	Get hash	malicious	DCRat	Browse	185.26.122.80
	i21878JK11.exe	Get hash	malicious	DCRat	Browse	185.26.122.80
	Transaccions DOC-REF DX739475.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.26.122.9

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.121565800269209
Encrypted:	false
SSDEEP:	6:kKPi9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:9DnLNkPlE99SNxAhUe/3
MD5:	A1114E0894BDB8D64A964E6497C89603
SHA1:	9459212562DDCC147B531F75BA7172458C111E59
SHA-256:	C9F34F892365FBCAB70AF4078E7E40633B446A51430AC6131F6A5BF8EC262D6F
SHA-512:	BDF854E6CE92DD21747199FEB44BAB3C37973FF82FDF7907E01BF48CCF76134B0568ACD29BA4E69ADE9F75E7C52D148D92DD37E32A7DB0C85F482361FFDD4964
Malicious:	false
Preview:	p...... ........o.......(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wave.exe.log

Download File

Process:	C:\Users\user\Desktop\Wave.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1031
Entropy (8bit):	5.352154694194798
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhIE4Kx1qE4qpAE4KzecKIE4oKNzKoM:MxHKlYHKh3oIHKx1qHmAHKzectHo60
MD5:	B7B2115023E4E7524BBFAB90E6A1EEB3
SHA1:	6843D72FEFB2520922603012B521988EF05A7CA2
SHA-256:	F148B4973AEBD7535CF21F2EB0762BD825E0F3988E604ED4BE8E7C1A24F2A772
SHA-512:	99AEFADC22A310DE03CD93125F94116EADA1B9F001E6FBA6BBD7521D50A9F7C985A15F5A7D5F2127B100DA10B1E7EEECC1258965A99ACAFC67514961A18998C2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\msbuild.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2755
Entropy (8bit):	5.335448531832121
Encrypted:	false
SSDEEP:	48:MxHKlYHKh3oIHKx1qHmAHKzectHo6THpHafHK7HKdHK8THQmHKtXooBHK9HKoAHx:iqlYqh3oIqxwxqzttI6TJmq7qdqojq7f
MD5:	709C3CE0488278DE5A6676782551EEB9
SHA1:	B3E4FB1E11D677EAAFFFD5715595C03241F3FB5A
SHA-256:	CDD5AC35E95F7C1FD85CF2E1D5373284F61996DA3EDF6C69B98241245C035229
SHA-512:	061AB98C9A515E63052E9DDA2DD687F1BF6E51FC2EB539D423AB5F8207633BE1365EACC99BC61259A113AD5FA5F20DCD79DA98B716158BBF88FE6E71CD57F835
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\universal_.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1128
Entropy (8bit):	5.352137456245207
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhIE4Kx1qE4qpAE4KzecKIE4oKNzKoI84j:MxHKlYHKh3oIHKx1qHmAHKzectHo6wvj
MD5:	EAE5EFE80D5F86B5BB8BAEF36579B0C4
SHA1:	EAA80274290D74F14BF65C501398863F7BCDA539
SHA-256:	C12CF957A87AA5C969C55DD2D808A4449722226D5DA96DD36C5086C7D5D3B29E
SHA-512:	6E4D2805AB7944EA371B14AB8EB2811EE3A49FC70B98E8DBF1DDA6F6B5FF327AE34B532222945366700E59A2640417B5869B9CB118270C3A0BC6F902755A60CA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\S

C:\Users\user\AppData\Local\Temp\{abe5374c-2074-44b6-9bd8-3500b416e91c}.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	196
Entropy (8bit):	5.477382720435933
Encrypted:	false
SSDEEP:	3:/qQKVQXSLVYFkJtZAGUM+ty8WddSp3AGYPZAIt+kiE2J5xAIEczRQPAAlPoRn:/kVQXSLuAJkLW65AB3wkn23fEMDApoR
MD5:	1F54B433CAC0ACE1EE19D17F613BB58C
SHA1:	5AADDB1AC361744D42DF28988FEB58E82EBDFCCD
SHA-256:	750B3B82C7F5DC5869785B9AB6BE10DB2D90FC8BF8BE13F558153539AAC2F462
SHA-512:	3CC1FF825E004E6BE6E1CF4B8AEEDF842D288CA34A59FA6399C9CBFF4494F603F430C72C8D9BB7028A8952A2F360D28657DD69011FCE188B46DB52E318D5CD94
Malicious:	false
Preview:	@ECHO OFF..ping 127.0.0.1 > nul..echo j \| del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"..echo j \| del C:\Users\user\AppData\Local\Temp\{abe5374c-2074-44b6-9bd8-3500b416e91c}.bat

C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe

Download File

Process:	C:\Users\user\Desktop\Wave.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3133952
Entropy (8bit):	7.8485091557698485
Encrypted:	false
SSDEEP:	49152:B1HS7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpbu/nRFfjI7L0qb:BUHTPJg8z1mKnypSbRxo9JCm
MD5:	DF016ABE8BFE2653C1DCA38309260358
SHA1:	253C95A2B7F13D39B9A03BA9A52785258E439340
SHA-256:	328B42682FFC73069ED31D0A9360AAF75E756CC2E51A280EF9849B9E836A990D
SHA-512:	3FCB697B369444FF62C84DD7B562F685B035E87ED9BEAB9C603BB2C35D03D57DB7F28D1CCC8ED2FFAF606802FC6E3A4E1535F627D9FE8E0A68514F27219762EC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe, Author: Joe Security Rule: JoeSecurity_OrcusRat, Description: Yara detected Orcus RAT, Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam Rule: RAT_Orcus, Description: unknown, Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82% Antivirus: Virustotal, Detection: 69%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&.d.................p/..`......~./.. ........@.. ....................... 0...........`.................................$./.W...../..\....................0...................................................... ............... ..H............text....o/.. ...p/................. ..`.rsrc....\..../..^...r/.............@..@.reloc........0......./.............@..B................`./.....H.......xk..#.............0.'..........................................(....6.(.....(....R..(.....{....o....&z.,..{....,..{....o......(....*....0..V............(....s......s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....(.....{.....o.....{...... ....s....o.....{....r...po.....{.....S..s....o.....{.....o.....{....r...po.....{.....o.....{.....o.....{....r!..p"..@A...s....o.....{.....) .... ....(....o.....{........s....o.....{....r3..po.....{.... ......s..

C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe.config

Download File

Process:	C:\Users\user\Desktop\Wave.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	357
Entropy (8bit):	5.044876050355283
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VJdfEyFRdSC7VrfC7VNQfC7VOVx/OfEyFRfyruUuAW4QIT:TMHdG3VOcrdS+QmafyV93xT
MD5:	A2B76CEA3A59FA9AF5EA21FF68139C98
SHA1:	35D76475E6A54C168F536E30206578BABFF58274
SHA-256:	F99EF5BF79A7C43701877F0BB0B890591885BB0A3D605762647CC8FFBF10C839
SHA-512:	B52608B45153C489419228864ECBCB92BE24C644D470818DFE15F8C7E661A7BCD034EA13EF401F2B84AD5C29A41C9B4C7D161CC33AE3EF71659BC2BCA1A8C4AD
Malicious:	true
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. <supportedRuntime version="v4.0.30319" sku=".NETFramework,Version=v4.0,Profile=Client" />.. </startup>..</configuration>

C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Wave.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	429
Entropy (8bit):	4.948676961384281
Encrypted:	false
SSDEEP:	12:PKMRJpTeTeTeT0szdn+AFSkIrxMVlmJHaVzvv:/h++AokItULVDv
MD5:	9A41E58B4BA02D597A1F8C8FA46C0A02
SHA1:	C3D6331315BD23402DEF1264288D809BF10FFFEF
SHA-256:	9D3E0D20C12C6CA1B3046AAE13789532A9A3F6069AEA76CCECA97F096EFDAA71
SHA-512:	6B1DB89EB775B67FCDA2FD83A667A0842715E030D136F748226F3AC4BB7D42F6BFC7AE2F9DD557887AF0BCC5C6F0A6B649D1D6A18D44E8E5672C30D5E5143EEE
Malicious:	false
Preview:	..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.8485091557698485
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.69% Win32 Executable (generic) a (10002005/4) 49.65% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% InstallShield setup (43055/19) 0.21% Windows Screen Saver (13104/52) 0.07%
File name:	Wave.exe
File size:	3'133'952 bytes
MD5:	df016abe8bfe2653c1dca38309260358
SHA1:	253c95a2b7f13d39b9a03ba9a52785258e439340
SHA256:	328b42682ffc73069ed31d0a9360aaf75e756cc2e51a280ef9849b9e836a990d
SHA512:	3fcb697b369444ff62c84dd7b562f685b035e87ed9beab9c603bb2c35d03d57db7f28d1ccc8ed2ffaf606802fc6e3a4e1535f627d9fe8e0a68514f27219762ec
SSDEEP:	49152:B1HS7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpbu/nRFfjI7L0qb:BUHTPJg8z1mKnypSbRxo9JCm
TLSH:	81E512013BACBD46D0BE2AB8B6B719C807B5EE029682EF4F0D90519D0D9F742BD15367
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&.d.................p/..`......~./.. ........@.. ....................... 0...........`................................

File Icon


Icon Hash:	0e67d7652f193b87

Static PE Info

General

Entrypoint:	0x6f8f7e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x64A82692 [Fri Jul 7 14:52:02 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2f8f24	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2fa000	0x5cb8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x300000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2f6f84	0x2f7000	9224f6cc08a6d654bb9ddf25f97c5756	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x2fa000	0x5cb8	0x5e00	20d6cde726daf38ced6118eedc33dfff	False	0.27086103723404253	data	3.5018969488489717	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x300000	0xc	0x200	02743939ad37cedda66f1624b96ad23b	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x2fa130	0x4c18	Device independent bitmap graphic, 78 x 120 x 32, image size 18720	0.2374229979466119
RT_GROUP_ICON	0x2fed48	0x14	data	1.05
RT_VERSION	0x2fed5c	0x324	data	0.44029850746268656
RT_MANIFEST	0x2ff080	0xc38	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.39641943734015345

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-28T19:32:01.337927+0200	TCP	2845590	ETPRO MALWARE Observed Possible Malicious SSL Cert (AsyncRAT)	15288	49731	185.37.62.158	192.168.2.4
2024-07-28T19:32:57.062363+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49764	40.68.123.157	192.168.2.4
2024-07-28T19:32:18.451658+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49740	40.68.123.157	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 28, 2024 19:31:54.692728996 CEST	49675	443	192.168.2.4	173.222.162.32
Jul 28, 2024 19:32:00.617062092 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:00.622539997 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:00.622625113 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:00.666313887 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:00.671922922 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:01.326107025 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:01.331993103 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:01.337927103 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:01.549834967 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:01.598754883 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:02.812813044 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:02.818203926 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:02.818289042 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:02.823610067 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:03.337260962 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:03.380043983 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:03.698637962 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:03.702126026 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:03.707047939 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:03.707146883 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:03.711963892 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:04.227650881 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:04.269879103 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:04.274946928 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:04.275023937 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:04.279916048 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:04.301960945 CEST	49675	443	192.168.2.4	173.222.162.32
Jul 28, 2024 19:32:04.790751934 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:04.791234970 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:04.796204090 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:04.796262980 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:04.801286936 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:05.579750061 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:05.599565029 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:05.599730968 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.189934015 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.194695950 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.194922924 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.194993019 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.195256948 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.195512056 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.195741892 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.195988894 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.196383953 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.196731091 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.197257042 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.197508097 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.197719097 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.199892998 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.199932098 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.199944973 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.199990034 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.199990034 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.200028896 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.200028896 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.200028896 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.200083971 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.200139999 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.200172901 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.200205088 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.200205088 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.200309992 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.200333118 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.200421095 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.200553894 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.200635910 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.200635910 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.200640917 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.200778961 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.200787067 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.200829983 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.200861931 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.200861931 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.200898886 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.204793930 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.204839945 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.204853058 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.204866886 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.204991102 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.205240965 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.205255032 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.205291033 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.205334902 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.205569983 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.205631018 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.205960035 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.206023932 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.206037045 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.206052065 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.208153009 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.213319063 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.522289038 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.522433043 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:06.527211905 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.527374029 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.527453899 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.527503014 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.527515888 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.527529001 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.527540922 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.527551889 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.527733088 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.527842999 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:06.527854919 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:30.350204945 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:30.395677090 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:30.737457037 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:30.741144896 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:30.746257067 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:32:30.746320963 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:32:30.751440048 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:33:00.353458881 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:33:00.395778894 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:33:00.509618998 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:33:00.510720015 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:33:00.515763044 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:33:00.515846968 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:33:00.520801067 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:33:04.062299013 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:33:04.063074112 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:33:04.063162088 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:33:04.101428986 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:33:04.106535912 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:33:04.106605053 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:33:04.111567020 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:33:07.484159946 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:33:07.536406994 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:33:07.651093006 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:33:07.692651033 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:33:07.812458992 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:33:07.813870907 CEST	49731	15288	192.168.2.4	185.37.62.158
Jul 28, 2024 19:33:07.817425966 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:33:07.820116043 CEST	15288	49731	185.37.62.158	192.168.2.4
Jul 28, 2024 19:33:07.820183039 CEST	49731	15288	192.168.2.4	185.37.62.158

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 28, 2024 19:32:00.102519035 CEST	49726	53	192.168.2.4	1.1.1.1
Jul 28, 2024 19:32:00.611557961 CEST	53	49726	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 28, 2024 19:32:00.102519035 CEST	192.168.2.4	1.1.1.1	0x28c	Standard query (0)	15288.client.sudorat.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 28, 2024 19:32:00.611557961 CEST	1.1.1.1	192.168.2.4	0x28c	No error (0)	15288.client.sudorat.top		185.37.62.158	A (IP address)	IN (0x0001)	false
Jul 28, 2024 19:32:19.397190094 CEST	1.1.1.1	192.168.2.4	0xb5fc	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 28, 2024 19:32:19.397190094 CEST	1.1.1.1	192.168.2.4	0xb5fc	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	13:31:56
Start date:	28/07/2024
Path:	C:\Users\user\Desktop\Wave.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Wave.exe"
Imagebase:	0x710000
File size:	3'133'952 bytes
MD5 hash:	DF016ABE8BFE2653C1DCA38309260358
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_OrcusRat, Description: Yara detected Orcus RAT, Source: 00000000.00000000.1660970759.0000000000712000.00000002.00000001.01000000.00000003.sdmp, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam Rule: RAT_Orcus, Description: unknown, Source: 00000000.00000000.1660970759.0000000000712000.00000002.00000001.01000000.00000003.sdmp, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:31:57
Start date:	28/07/2024
Path:	C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe"
Imagebase:	0x4a0000
File size:	3'133'952 bytes
MD5 hash:	DF016ABE8BFE2653C1DCA38309260358
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_OrcusRat, Description: Yara detected Orcus RAT, Source: 00000001.00000002.1682970469.0000000003F69000.00000004.00000800.00020000.00000000.sdmp, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam Rule: RAT_Orcus, Description: unknown, Source: 00000001.00000002.1682970469.0000000003F69000.00000004.00000800.00020000.00000000.sdmp, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe, Author: Joe Security Rule: JoeSecurity_OrcusRat, Description: Yara detected Orcus RAT, Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam Rule: RAT_Orcus, Description: unknown, Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs Detection: 69%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:31:58
Start date:	28/07/2024
Path:	C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe
Imagebase:	0x870000
File size:	3'133'952 bytes
MD5 hash:	DF016ABE8BFE2653C1DCA38309260358
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:31:58
Start date:	28/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Imagebase:	0xee0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SugarDump, Description: Yara detected SugarDump, Source: 00000003.00000002.2388704865.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000003.00000002.2388704865.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:32:20
Start date:	28/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:32:58
Start date:	28/07/2024
Path:	C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe
Imagebase:	0x2e0000
File size:	3'133'952 bytes
MD5 hash:	DF016ABE8BFE2653C1DCA38309260358
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:33:06
Start date:	28/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\{abe5374c-2074-44b6-9bd8-3500b416e91c}.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:33:06
Start date:	28/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:33:06
Start date:	28/07/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1
Imagebase:	0x690000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:33:10
Start date:	28/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" echo j "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:33:10
Start date:	28/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe""
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:33:10
Start date:	28/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" echo j "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: cmd.exePID: 2504, Parent PID: 5468

General

Target ID:	15
Start time:	13:33:10
Start date:	28/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" del C:\Users\user\AppData\Local\Temp\{abe5374c-2074-44b6-9bd8-3500b416e91c}.bat"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	18.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	28
Total number of Limit Nodes:	4

Executed Functions

Function 013A8D40 Relevance: 2.0, Strings: 1, Instructions: 741
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 013AA405

Memory Dump Source

Source File: 00000000.00000002.1670383948.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13a0000_Wave.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: f35450216bc41a19919ee7bdb0c25abff6bf9d617673c7cdb734e171e640c43a
Instruction ID: 3906f0dc1ca877f7fcfc78159718dde32208ab7a82155306fbc3d333a906cbc6
Opcode Fuzzy Hash: f35450216bc41a19919ee7bdb0c25abff6bf9d617673c7cdb734e171e640c43a
Instruction Fuzzy Hash: 57623870600615CFDB29DF38C598BAE7BB2FF48308F5445ADE5569B2A2DB34E884CB50

Function 013AC6C0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 173
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 013AE3CE
GetCurrentThread.KERNEL32 ref: 013AE40B
GetCurrentProcess.KERNEL32 ref: 013AE448
GetCurrentThreadId.KERNEL32 ref: 013AE4A1

Strings

`Q^q, xrefs: 013AC781
`Q^q, xrefs: 013AC751

Memory Dump Source

Source File: 00000000.00000002.1670383948.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13a0000_Wave.jbxd

Similarity

API ID: Current$ProcessThread
String ID: `Q^q$`Q^q
API String ID: 2063062207-4048626156
Opcode ID: 44d8496adfef5a0a3464c4140245950f019738d0488528430145d99cfd82941f
Instruction ID: de3fa2d7950439cb5704c19ca736d215c4ef415966f3d3819e3e02aab84c3ed7
Opcode Fuzzy Hash: 44d8496adfef5a0a3464c4140245950f019738d0488528430145d99cfd82941f
Instruction Fuzzy Hash: D1619E74A00309CFDB04DFA9D848B9EBBF1FF88314F24846AD159A7390DB749844CB65

Function 013AE340 Relevance: 6.1, APIs: 4, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 013AE3CE
GetCurrentThread.KERNEL32 ref: 013AE40B
GetCurrentProcess.KERNEL32 ref: 013AE448
GetCurrentThreadId.KERNEL32 ref: 013AE4A1

Memory Dump Source

Source File: 00000000.00000002.1670383948.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13a0000_Wave.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 9a8c790aa1e82bd48bb46c5f28ff7eb2d429850f8a297324d2d66784f4df0da2
Instruction ID: 8bac553a31ee8283c675042f65fc34cd02565643af0f984857cfd3f078d74787
Opcode Fuzzy Hash: 9a8c790aa1e82bd48bb46c5f28ff7eb2d429850f8a297324d2d66784f4df0da2
Instruction Fuzzy Hash: 415145B0910649CFDB14DFA9D548BAEBBF5EB88314F20842AE458A7360DB349944CF65

Function 013AC6CC Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 013AE3CE
GetCurrentThread.KERNEL32 ref: 013AE40B
GetCurrentProcess.KERNEL32 ref: 013AE448
GetCurrentThreadId.KERNEL32 ref: 013AE4A1

Memory Dump Source

Source File: 00000000.00000002.1670383948.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13a0000_Wave.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6154352b5e88f37afeb5735f45409ba19833eeb0fe3c7cc847c56c48ca378890
Instruction ID: 3bfba973cb17890ea2df05f0342b7bc6ad107f8c1366963ff8cd19ee4f0cc4b1
Opcode Fuzzy Hash: 6154352b5e88f37afeb5735f45409ba19833eeb0fe3c7cc847c56c48ca378890
Instruction Fuzzy Hash: C65146B0910649CFDB14DFA9D548BAEBBF5FB88314F208429E059A7360DB349944CF65

Function 013AC8AC Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 013AC969

Memory Dump Source

Source File: 00000000.00000002.1670383948.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13a0000_Wave.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 242860f5a936d85356511eca865d41e7ad5cbc7ac891805bc8b94e42d60ea6d3
Instruction ID: 619967d02d7c1c0bee1d3142eb140fb8259abde87b956b332c248aa1ca7f6a52
Opcode Fuzzy Hash: 242860f5a936d85356511eca865d41e7ad5cbc7ac891805bc8b94e42d60ea6d3
Instruction Fuzzy Hash: AE41FFB4C00619CEDB24CFA9C944BDDBBB5BF48308F64806AD408AB255DB75698ACF90

Function 013A7894 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 013AC969

Memory Dump Source

Source File: 00000000.00000002.1670383948.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13a0000_Wave.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f9798525e58efd91e4c4f364e01fb465b287ecbe52ad53fe40cd6669182bd8af
Instruction ID: 6d2e08434326e8d4b74d8287f188b6a23d7f70a2d61404171d6326688bc0cf1c
Opcode Fuzzy Hash: f9798525e58efd91e4c4f364e01fb465b287ecbe52ad53fe40cd6669182bd8af
Instruction Fuzzy Hash: B241D0B0C0061DCADB24DFA9C844B9EBBF5FF48304F64806AD408AB255DB756985CF90

Function 013AE590 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013AE61F

Memory Dump Source

Source File: 00000000.00000002.1670383948.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13a0000_Wave.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 335cbdd032465bfef643c47bb7b636fb881eaf14040317e5dc629635355d39c7
Instruction ID: 86a6a07cea89cf639d9adb0de4ff7b204e4cc5d3a11476e9eef31f6fc57a019e
Opcode Fuzzy Hash: 335cbdd032465bfef643c47bb7b636fb881eaf14040317e5dc629635355d39c7
Instruction Fuzzy Hash: D821E6B5D002499FDB10CF99D584ADEBFF4FB48324F14842AE958A7310D378A944CFA5

Function 013AE598 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013AE61F

Memory Dump Source

Source File: 00000000.00000002.1670383948.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13a0000_Wave.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1e782eb2e04ba059e956d832219aaf4f95b8132d873c97e36f775f8ac14a05d0
Instruction ID: 85155f75c6b1fa8d3c7485ed7cd0d48757b9862bbea1e0c31c85d6c0d706729d
Opcode Fuzzy Hash: 1e782eb2e04ba059e956d832219aaf4f95b8132d873c97e36f775f8ac14a05d0
Instruction Fuzzy Hash: 4921E4B5D002099FDB10CF9AD584ADEBFF8FB48324F14842AE958A3310D378A944CFA4

Analysis Process: universal_.exePID: 6696, Parent PID: 6528COMMON

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	87
Total number of Limit Nodes:	8

Executed Functions

Function 02A0E340 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02A0E3CE
GetCurrentThread.KERNEL32 ref: 02A0E40B
GetCurrentProcess.KERNEL32 ref: 02A0E448
GetCurrentThreadId.KERNEL32 ref: 02A0E4A1

Strings

m, xrefs: 02A0E36C

Memory Dump Source

Source File: 00000001.00000002.1678274427.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_universal_.jbxd

Similarity

API ID: Current$ProcessThread
String ID: m
API String ID: 2063062207-3775001192
Opcode ID: e2dc93cdf61d6321a1484269e97db561e8a84c96770e22832b15898d59ef3804
Instruction ID: e346f8ae6e28c0b58206533ea2acab86fb2c021eb15f9dae5a491eddc7dd9c95
Opcode Fuzzy Hash: e2dc93cdf61d6321a1484269e97db561e8a84c96770e22832b15898d59ef3804
Instruction Fuzzy Hash: 055168B09002098FDB14CFA9D588BDEBBF1EF88314F20C459E459A73A0DB359944CF66

Function 02A0E350 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02A0E3CE
GetCurrentThread.KERNEL32 ref: 02A0E40B
GetCurrentProcess.KERNEL32 ref: 02A0E448
GetCurrentThreadId.KERNEL32 ref: 02A0E4A1

Strings

m, xrefs: 02A0E36C

Memory Dump Source

Source File: 00000001.00000002.1678274427.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_universal_.jbxd

Similarity

API ID: Current$ProcessThread
String ID: m
API String ID: 2063062207-3775001192
Opcode ID: 5ead28a0c2386a3d32ca213f383bef28a996c8ab964029988c3d0d519cbeecf2
Instruction ID: 682c36955cc2a479ff28fb70d585639b31ef646ecec308df6b181817c6adce7c
Opcode Fuzzy Hash: 5ead28a0c2386a3d32ca213f383bef28a996c8ab964029988c3d0d519cbeecf2
Instruction Fuzzy Hash: A25146B09012098FDB14CFA9D588B9EBBF1EF88314F20C459E459A73A0DB359944CF66

Function 05509B58 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05509D8E

Strings

m, xrefs: 05509B93

Memory Dump Source

Source File: 00000001.00000002.1689614656.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5500000_universal_.jbxd

Similarity

API ID: CreateProcess
String ID: m
API String ID: 963392458-3775001192
Opcode ID: 73b26ef914dbcfde5102a6f2be3579d3a103190682b68ca3da1a1f86d843b600
Instruction ID: 768bdb427777096f9255b02c7f81671657acd23a4f64e8f83fe34e0a8b8e9f22
Opcode Fuzzy Hash: 73b26ef914dbcfde5102a6f2be3579d3a103190682b68ca3da1a1f86d843b600
Instruction Fuzzy Hash: 29914871D002199FDB10CFA8C980BEDBBF2BF48310F1485AAE849A7295DB749985CF91

Function 05509B57 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 241
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05509D8E

Strings

m, xrefs: 05509B93

Memory Dump Source

Source File: 00000001.00000002.1689614656.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5500000_universal_.jbxd

Similarity

API ID: CreateProcess
String ID: m
API String ID: 963392458-3775001192
Opcode ID: 9da190edf499b0d684614d842b0ebd8a7d6cc600b5659259c3db9c50b15cdfa1
Instruction ID: 226b90d2db129c43f99e4c39c1caf1ba56ddc1239d54119406026f3712c8b9c9
Opcode Fuzzy Hash: 9da190edf499b0d684614d842b0ebd8a7d6cc600b5659259c3db9c50b15cdfa1
Instruction Fuzzy Hash: AD914771D00219DFDB10CFA8C980BEDBBF2BF48310F1485AAE849A7295DB749985CF91

Function 02A0C8AC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02A0C969

Strings

m, xrefs: 02A0C8EC

Memory Dump Source

Source File: 00000001.00000002.1678274427.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_universal_.jbxd

Similarity

API ID: Create
String ID: m
API String ID: 2289755597-3775001192
Opcode ID: 3e834d17c62b4203b38c443d9997833a12490be1604b6cdd86d18a64b8c510fb
Instruction ID: be9a23cea3068ef98ef69e8171e41a981e34d7e0d5bbb5ef9b3445e523cdb132
Opcode Fuzzy Hash: 3e834d17c62b4203b38c443d9997833a12490be1604b6cdd86d18a64b8c510fb
Instruction Fuzzy Hash: 0541F3B4C00619CFDB28CFA9C884BDEBBB6BF48304F20816AD409AB291DB755945CF90

Function 02A07894 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02A0C969

Strings

m, xrefs: 02A0C8EC

Memory Dump Source

Source File: 00000001.00000002.1678274427.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_universal_.jbxd

Similarity

API ID: Create
String ID: m
API String ID: 2289755597-3775001192
Opcode ID: cec54da3e211d3820ee6c34d210fb8ee4073e97df78ebfc8f21b5ad5842e8904
Instruction ID: 28c520bf6f108254cae5865eaa2e4ae7d424c0f8136b57c1172b741046fd57dd
Opcode Fuzzy Hash: cec54da3e211d3820ee6c34d210fb8ee4073e97df78ebfc8f21b5ad5842e8904
Instruction Fuzzy Hash: 0141F3B4C00719CFDB24CFAAC884B9EBBB6BF48304F20816AD419AB295DB755945CF90

Function 055098C9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05509960

Strings

m, xrefs: 055098EF

Memory Dump Source

Source File: 00000001.00000002.1689614656.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5500000_universal_.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: m
API String ID: 3559483778-3775001192
Opcode ID: 34b20f0b222ed73ae32ca4b83c78abcd2cdaa394413a044b4a5cb69b0e863bf7
Instruction ID: 6ab475be11bf3135409539f52cb47ac691ef058bdc2d1eb424b96e33a37419c2
Opcode Fuzzy Hash: 34b20f0b222ed73ae32ca4b83c78abcd2cdaa394413a044b4a5cb69b0e863bf7
Instruction Fuzzy Hash: 252168B19003599FCF10CFA9C880BDEBBF4FF48320F10842AE959A7245C7789540CBA0

Function 055098D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05509960

Strings

m, xrefs: 055098EF

Memory Dump Source

Source File: 00000001.00000002.1689614656.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5500000_universal_.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: m
API String ID: 3559483778-3775001192
Opcode ID: 60bb5e6e207a44ee51230ffbf4b0751698cd6e259e05cdf8d1a4d5e86bf91c2d
Instruction ID: 539e32d808741be9a5a0ee9c36d7c8bb5c2a1ca1c797f909cbdf4955f58c2c85
Opcode Fuzzy Hash: 60bb5e6e207a44ee51230ffbf4b0751698cd6e259e05cdf8d1a4d5e86bf91c2d
Instruction Fuzzy Hash: 3E2125B59003599FCF10CFAAC885BDEBBF5FF48310F10882AE959A7255C7789944CBA4

Function 05509730 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 055097B6

Strings

m, xrefs: 05509754

Memory Dump Source

Source File: 00000001.00000002.1689614656.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5500000_universal_.jbxd

Similarity

API ID: ContextThreadWow64
String ID: m
API String ID: 983334009-3775001192
Opcode ID: 4224d9f9123e91614f8b0b6358192872f0b34670105ad53f437f8cec32ef6d1e
Instruction ID: 389f2c40fbeee81d124f7131fcb3f8f7de7f8f0348e3ca567adad9e545d13a56
Opcode Fuzzy Hash: 4224d9f9123e91614f8b0b6358192872f0b34670105ad53f437f8cec32ef6d1e
Instruction Fuzzy Hash: 8C216AB2D002098FDB10DFAAC4857EEBBF4FF89324F14842AD459A7241D7789984CFA1

Function 055099B9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05509A40

Strings

m, xrefs: 055099DF

Memory Dump Source

Source File: 00000001.00000002.1689614656.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5500000_universal_.jbxd

Similarity

API ID: MemoryProcessRead
String ID: m
API String ID: 1726664587-3775001192
Opcode ID: 2348ebec745cd5b346e8cbdf618ca131bdd3a666c1c73c790d9680521b951b39
Instruction ID: a14e7ed1bb9dbad9cb344dbed4aa21ccd8fd4770f90160078f872e3d4c0d0770
Opcode Fuzzy Hash: 2348ebec745cd5b346e8cbdf618ca131bdd3a666c1c73c790d9680521b951b39
Instruction Fuzzy Hash: 7E2136B18003599FCB10DFAAC880BDEFBF5FF88310F50842AE958A7251D7399940CBA4

Function 02A0E590 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02A0E61F

Strings

m, xrefs: 02A0E5B7

Memory Dump Source

Source File: 00000001.00000002.1678274427.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_universal_.jbxd

Similarity

API ID: DuplicateHandle
String ID: m
API String ID: 3793708945-3775001192
Opcode ID: 33cf6194b1104a97ccf5ab6b8059646ce5559ddaddb27974653b28bd0ba31099
Instruction ID: 3e9461b29999766d2ea97098979d1d6021119ec535792b4a1a2011dc22515658
Opcode Fuzzy Hash: 33cf6194b1104a97ccf5ab6b8059646ce5559ddaddb27974653b28bd0ba31099
Instruction Fuzzy Hash: F621E4B5D012499FDB10CFAAD984ADEFBF4FB48324F14841AE958A3351D378A940CFA5

Function 05509738 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 055097B6

Strings

m, xrefs: 05509754

Memory Dump Source

Source File: 00000001.00000002.1689614656.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5500000_universal_.jbxd

Similarity

API ID: ContextThreadWow64
String ID: m
API String ID: 983334009-3775001192
Opcode ID: decf9a90f02d7848ff13bce42ea715696b880a6883100ab33fac23d9d1b08866
Instruction ID: 299eab0bc03ec5528213dd060ecd9f297464fb2c8c45afe9cb507ec02192aa0a
Opcode Fuzzy Hash: decf9a90f02d7848ff13bce42ea715696b880a6883100ab33fac23d9d1b08866
Instruction Fuzzy Hash: 132107B29002098FDB10DFAAC4857EEBBF5FB89324F54842AD459A7241CB789944CFA5

Function 055099C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05509A40

Strings

m, xrefs: 055099DF

Memory Dump Source

Source File: 00000001.00000002.1689614656.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5500000_universal_.jbxd

Similarity

API ID: MemoryProcessRead
String ID: m
API String ID: 1726664587-3775001192
Opcode ID: e533ab32845446bb3d01087f6aeeaa8c447ba131623678b9dabd66db6e5eda42
Instruction ID: 1af26ee629ba389c8dc7694cf9b926676687de12ec7b268c120bf27a8187f524
Opcode Fuzzy Hash: e533ab32845446bb3d01087f6aeeaa8c447ba131623678b9dabd66db6e5eda42
Instruction Fuzzy Hash: 7F2116B19002599FCB10DFAAC840BDEBBF5FF48310F50842AE959A7251C7389544CBA4

Function 02A0E598 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02A0E61F

Strings

m, xrefs: 02A0E5B7

Memory Dump Source

Source File: 00000001.00000002.1678274427.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a00000_universal_.jbxd

Similarity

API ID: DuplicateHandle
String ID: m
API String ID: 3793708945-3775001192
Opcode ID: 7d5d6c14a7a2524222c512eaba24d874cbb757a7864a7c6a2fe0a89620a678db
Instruction ID: 96008b53a2ce028d01f51d421e6bdf7b7bcc0f259ca7535071fb3f603041ed0f
Opcode Fuzzy Hash: 7d5d6c14a7a2524222c512eaba24d874cbb757a7864a7c6a2fe0a89620a678db
Instruction Fuzzy Hash: C321E4B5D002489FDB10CFAAD584ADEFBF4EB48310F14841AE954A3351D374A940CFA4

Function 05509680 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 055096EA

Strings

m, xrefs: 0550969F

Memory Dump Source

Source File: 00000001.00000002.1689614656.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5500000_universal_.jbxd

Similarity

API ID: ResumeThread
String ID: m
API String ID: 947044025-3775001192
Opcode ID: 3acd0b2c95af79dc15e49c0491800bc3243df3d53a2b0d98802e6e142961efbb
Instruction ID: 4ff7956e53520daa404eb128c2b43e88394e4989aac701960eb0546e21a5d013
Opcode Fuzzy Hash: 3acd0b2c95af79dc15e49c0491800bc3243df3d53a2b0d98802e6e142961efbb
Instruction Fuzzy Hash: 14115BB19002488BCB20DFAAC4457EFFBF4EF88324F208419D459A7254C735A544CFA4

Function 05509810 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0550987E

Strings

m, xrefs: 05509827

Memory Dump Source

Source File: 00000001.00000002.1689614656.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5500000_universal_.jbxd

Similarity

API ID: AllocVirtual
String ID: m
API String ID: 4275171209-3775001192
Opcode ID: 0e6e343d15c6ffdea53959512c898aaa8bf74e50b3b1927d84d60dc191dec614
Instruction ID: 3268f6aba989528f04893bee856df6571ea648d082fcf71515b825d0da3f89f7
Opcode Fuzzy Hash: 0e6e343d15c6ffdea53959512c898aaa8bf74e50b3b1927d84d60dc191dec614
Instruction Fuzzy Hash: 871126729002499FCB10DFAAC844BDEBBF5EF88324F148419E559A7250C775A544CFA4

Function 05509688 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 055096EA

Strings

m, xrefs: 0550969F

Memory Dump Source

Source File: 00000001.00000002.1689614656.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5500000_universal_.jbxd

Similarity

API ID: ResumeThread
String ID: m
API String ID: 947044025-3775001192
Opcode ID: 90cc21cc24c8b5f01a7ec3a6042590bc209095071cee286d9ece966bbb176a6f
Instruction ID: b2c85aaf5d6529019bac02c6ddd1c7ec0d285e2fd6c5c255f1901bed784140d7
Opcode Fuzzy Hash: 90cc21cc24c8b5f01a7ec3a6042590bc209095071cee286d9ece966bbb176a6f
Instruction Fuzzy Hash: D0113AB1D003488FCB10DFAAC4457DEFBF5EB88324F208419D459A7250CB79A544CFA4

Analysis Process: universal_.exePID: 6844, Parent PID: 1044COMMON

Executed Functions

Function 02CD8D40 Relevance: 2.0, Strings: 1, Instructions: 711COMMON

Download Yara Rule

Strings

4'^q, xrefs: 02CDA405

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: b6fc24b6699a67046ade065cba093dafed4b5db910e739e5f2b31b08642004a3
Instruction ID: b22a2e5ac60f52e27eeb68387079cb5a63663785ecaf71efa2a58a1b03020b3b
Opcode Fuzzy Hash: b6fc24b6699a67046ade065cba093dafed4b5db910e739e5f2b31b08642004a3
Instruction Fuzzy Hash: 8B523A787006158FCB29DF39C594BAEB7F2BF88304F1445ADE65A8B2A1DB30E945CB50

Function 02CD5E98 Relevance: 2.7, Strings: 2, Instructions: 244COMMON

Download Yara Rule

Strings

tP^q, xrefs: 02CD605B
dbq, xrefs: 02CD5F17

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID: dbq$tP^q
API String ID: 0-4102089975
Opcode ID: d2acbdbfb3f40506f82c5c31b5144583ed56289e7dc8a9eee4831304f9ec4c72
Instruction ID: f055c23ad8378cc7ac7c0133c9f739040f31f700ee962871f9416e88d8844ab4
Opcode Fuzzy Hash: d2acbdbfb3f40506f82c5c31b5144583ed56289e7dc8a9eee4831304f9ec4c72
Instruction Fuzzy Hash: 6D91BE34B00215CFDB08AB75D45876E77B6EB88304F20456AD90AEB394DF369D85CFA1

Function 02CD5E88 Relevance: 2.7, Strings: 2, Instructions: 239COMMON

Download Yara Rule

Strings

tP^q, xrefs: 02CD605B
dbq, xrefs: 02CD5F17

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID: dbq$tP^q
API String ID: 0-4102089975
Opcode ID: 1c04fde4d6fd93eafadff01986443faab36bbe2d35463b1f831ee964a93428f4
Instruction ID: 3e0284716280e655cff4311852c0b256543df01b3f621375112df4ee4b63549e
Opcode Fuzzy Hash: 1c04fde4d6fd93eafadff01986443faab36bbe2d35463b1f831ee964a93428f4
Instruction Fuzzy Hash: B591A134B002148FDB05AB75D45876E7BA6EB88305F10496AD90AEB394DF36CD86CF61

Function 02CDAACF Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

C8, xrefs: 02CDAB49

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID: C8
API String ID: 0-392638660
Opcode ID: 6450a7fc30ae4617164c42ff05913b1c066b3aa07ebd4ae29db7cde258074d80
Instruction ID: e1ef1be5418fe92af11e2f7e134b8e0ea3dfc9f71211f49e5e7f904adb7c0613
Opcode Fuzzy Hash: 6450a7fc30ae4617164c42ff05913b1c066b3aa07ebd4ae29db7cde258074d80
Instruction Fuzzy Hash: FC41DD34B442049FCB05DB78D494D6EBBF6EFC925031585AAE90ACB3A1DB30ED06CB91

Function 02CD6C68 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

Te^q, xrefs: 02CD6D24

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 2733e1d931db7ea86bd6edcec0b7847aba3a2118308708a10e16fc6abfbf2d10
Instruction ID: f6a330f669c7a6ec7e7bc0a0880bfc8373d235ba5d4257f1f8789a95391f0b86
Opcode Fuzzy Hash: 2733e1d931db7ea86bd6edcec0b7847aba3a2118308708a10e16fc6abfbf2d10
Instruction Fuzzy Hash: 7C418030B002149FCB14DF6ED558B5DBBF6AF89710F2485A9E505EB3A4CE719D058B90

Function 02CD10A3 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

Te^q, xrefs: 02CD110C

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: caba2781236bb5dfbf0f7457fb1b7f9650048eab3beabb88e8bdbf2bb1d187ab
Instruction ID: 088d730084cdffb1e29a10ddba642482390135c40b198657ec3c885464af2366
Opcode Fuzzy Hash: caba2781236bb5dfbf0f7457fb1b7f9650048eab3beabb88e8bdbf2bb1d187ab
Instruction Fuzzy Hash: 9D218E31B401158FDB149B69C858BAEBBF6AF88714F24045AE506EB3A5CBB19D018BD1

Function 02CDA550 Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b9ae145e92005aad7bad99c3a531b6ce19131f404c0b2dce4f8281c7abc5db0
Instruction ID: 9d8d171e93d132addccb77c81f711ff2b825fbb75584ae831fde7e921b3e12c3
Opcode Fuzzy Hash: 0b9ae145e92005aad7bad99c3a531b6ce19131f404c0b2dce4f8281c7abc5db0
Instruction Fuzzy Hash: 18021434704701CFC715DF39C894A2A7BF6AFC9604B1544AADA4ACB361EB35ED02CBA1

Function 02CD8750 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b83a6da876e05915b2a2e202f0abdc379fc6dccbc103c701ad54d08c922a9295
Instruction ID: 4839be0f800f739551573e769df9a122ee68679e823098a3b573ce01aa4b24fd
Opcode Fuzzy Hash: b83a6da876e05915b2a2e202f0abdc379fc6dccbc103c701ad54d08c922a9295
Instruction Fuzzy Hash: B112F574340A01CFC728DF39C998A6A77B6BF887047154AA8E616CB3A1DB35ED46CB50

Function 02CD92DA Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5d1917484764842a7e26fa117c8d9359a2c3e7322ec7576b4ab9ea77b299f9
Instruction ID: 29e684f41919cdb1f185c3a76e396589f0109b5ca596a1eac23fcf75d8e5fbf3
Opcode Fuzzy Hash: fd5d1917484764842a7e26fa117c8d9359a2c3e7322ec7576b4ab9ea77b299f9
Instruction Fuzzy Hash: AC51D4387047408FC725CF39C894A6EBBF6BF89314B044599E64ACB2A2DB35ED45CB60

Function 02CDA270 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df606fe15d51db72c5f19601fdef32c942fc36919ae0a898c0bddbe1b47db7f
Instruction ID: 58b10e16d06c430b25c3d27d74fd6eebc40da3a1e5f9138dab2fc569cb5a3514
Opcode Fuzzy Hash: 4df606fe15d51db72c5f19601fdef32c942fc36919ae0a898c0bddbe1b47db7f
Instruction Fuzzy Hash: 3151F074300A05CFCB18DF39C994A6AB3B2BF8830571549A8E64ACB3A1DB35ED45CB50

Function 02CD9BE7 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dcc50ee588e8aea306684a1d7772e8e94eac2ab621eee61ca61de07621acd36
Instruction ID: 4b0f72bad65d50d564b5332e8d948420e46982e92e6efac4fabd6a9f231b8aae
Opcode Fuzzy Hash: 5dcc50ee588e8aea306684a1d7772e8e94eac2ab621eee61ca61de07621acd36
Instruction Fuzzy Hash: 0E51E179300A05CFC728DF39C894A6A77F6BF89204B1509A8E606CB761DB35FD45CB50

Function 02CD0E98 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a1ce4e70246318a32b812a74822ded595d66320379f60b721e375b23ef2a2c3
Instruction ID: 22691d59fbeecd12f5b73a30015212c2a51c6f70ae510aab6c49c9dbc5a34457
Opcode Fuzzy Hash: 5a1ce4e70246318a32b812a74822ded595d66320379f60b721e375b23ef2a2c3
Instruction Fuzzy Hash: 0C31A431E00245DFDB14DF69D594BEDBBB2FF88304F218669E505A7260DB71A946CF80

Function 02CD6A28 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e1f4c6f2872e98644c2fee3c3d751d806fd6e4958e815e6b88f9d0059ab4016
Instruction ID: 66e092136bece686d726496ba42f37d77121ea4a0c35d817e34ac1dd5f2753aa
Opcode Fuzzy Hash: 6e1f4c6f2872e98644c2fee3c3d751d806fd6e4958e815e6b88f9d0059ab4016
Instruction Fuzzy Hash: 04314834D40208EFCB04EFA8E594AEDBBB6EF89300F20856AE505AB364DB716945CF50

Function 02CD6A38 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142095f3790bf5aaa3ceec7701975433bb20e8aa35b47501a954480843458b39
Instruction ID: c2952e013556f1865bb3cc8ce86a7f3cc6e10a3a9ffa4cd4ee779a7af43b77f5
Opcode Fuzzy Hash: 142095f3790bf5aaa3ceec7701975433bb20e8aa35b47501a954480843458b39
Instruction Fuzzy Hash: 2D31F634D01209EFCB04DFA8E594AEEBBB6EF48304F20852AE501A7364DB716945DF51

Function 02CD0D40 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c42a078737fdf4dc36935ca019890764427a5d2686bab71a9104b9923caa68d
Instruction ID: cdf77303a4d7fe73ad3a032cbf991c20f0f5819888a50d22b6d74a604b35f718
Opcode Fuzzy Hash: 2c42a078737fdf4dc36935ca019890764427a5d2686bab71a9104b9923caa68d
Instruction Fuzzy Hash: B201F53AB403514BC301663DF88069A77D7EBC0B69F24053BE60EC7385CE22DC068390

Function 02CD8740 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee4c932f25f113473e3a28cd897c1692c599dfc82dc5a22b79fec34ab9470290
Instruction ID: 3cd5d6f45460ba03fdd4fb907323623c1d07d7a9c642418ce26c75a03c6f5b53
Opcode Fuzzy Hash: ee4c932f25f113473e3a28cd897c1692c599dfc82dc5a22b79fec34ab9470290
Instruction Fuzzy Hash: 5A115B352146008FC324DF29C884DA677B6FF89721B120A99E646CB3A2CB35FC05CB20

Function 02CDAA18 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b4d266630c0b867dbfaec76474a9691d4fa53c537b296619b67f147a4c671ef
Instruction ID: 9b5e1c24087172600ceba9ea3ee06a7e8b83fac671204152e090638a6883cb5a
Opcode Fuzzy Hash: 7b4d266630c0b867dbfaec76474a9691d4fa53c537b296619b67f147a4c671ef
Instruction Fuzzy Hash: 6DF028327483419FDB048669995062BFBA59BC5190315973BD60EC7345DF35DC01C760

Function 02CD1220 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43be3bc8a087bb8a26936a11c4fef42971c07319e4746e55b5f2466275e0d644
Instruction ID: 7bf453719ddd780dd693ce11ce8169be44dd381ac12f815dd8eb19793f272333
Opcode Fuzzy Hash: 43be3bc8a087bb8a26936a11c4fef42971c07319e4746e55b5f2466275e0d644
Instruction Fuzzy Hash: BBF0CD313082904FC3044B3E9854B267BE6EFC6760B2981EBF659CB3B2CAA1CC05CB51

Function 02CD1213 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce3c60c3bc22e0665be57c78ef76364e3700230c61a255b52b7267f8c1fc69bf
Instruction ID: 93a314a5198a97b0029d6b7868b8d2b84a71806dae2f27be2db5f869c308f006
Opcode Fuzzy Hash: ce3c60c3bc22e0665be57c78ef76364e3700230c61a255b52b7267f8c1fc69bf
Instruction Fuzzy Hash: 6BF05E343041904FD7055B6EC894B667BE6EFCA765B2980EAE649CB372CAA1DC068B50

Function 02CD11C8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334dc9c01d1c9aff23c0c7e2af235630b69cfe5bf8ef18f319b2942c257773b2
Instruction ID: 82cce0007837986162e95deab6b4232315caabb102cd3a15fda2318692dec77b
Opcode Fuzzy Hash: 334dc9c01d1c9aff23c0c7e2af235630b69cfe5bf8ef18f319b2942c257773b2
Instruction Fuzzy Hash: ECF01C357005105FC3549A5FD884F16BBEAAFC8A64B2580A9F20ECB775DAA1DC018650

Function 02CD11BB Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28847e535438742c124ad11dc0e1e76c1343e8597141a2367ff9f3b570a6995c
Instruction ID: 4c24a8c7029d062b0afc83a2c7f6838bc6403502499bc8f0eef32125e298d37d
Opcode Fuzzy Hash: 28847e535438742c124ad11dc0e1e76c1343e8597141a2367ff9f3b570a6995c
Instruction Fuzzy Hash: BCF0E5317086905FC30157AEAC50A57BFE6DFCA361B2884EAF28DCB366D961CC028751

Function 02CD13E8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d5a07bfe43838f1822b4e76729202c9ed99318617dafad6927c4239f23cac70
Instruction ID: b563a749026061a7ceff5c11bd720a2d2ab76214a2d37d8c3bcb75b2dac4cc3a
Opcode Fuzzy Hash: 8d5a07bfe43838f1822b4e76729202c9ed99318617dafad6927c4239f23cac70
Instruction Fuzzy Hash: 5CF08C7090A3889FCB02DBB4DE1976ABFB4DF42204B0944EBC548E7356D6249E089712

Function 02CD0FAB Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63a2b6238f686c667b99c910ca578aee4f58a34e11bd49f12b0e2fe9b4adddb9
Instruction ID: 84de22f44a07b2282a063d45a7b02ce6e7656e8f40ebe7de04623aaaa01f6dd5
Opcode Fuzzy Hash: 63a2b6238f686c667b99c910ca578aee4f58a34e11bd49f12b0e2fe9b4adddb9
Instruction Fuzzy Hash: ACF01D70D4121DDFEB20EF90D959BAEBB71BB44345F540529D50673280CBB52D41CB80

Function 02CDB050 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b8030cb98afea9e2ce0afe19a6ef5be296b9a6c8c7969b15a2f63b03cb3da3
Instruction ID: 7821e6999004bc794ef8a1ecb30e7c2a64c2969fbe0ce49eb99777a145285655
Opcode Fuzzy Hash: c0b8030cb98afea9e2ce0afe19a6ef5be296b9a6c8c7969b15a2f63b03cb3da3
Instruction Fuzzy Hash: 3DF0827090834A9FCB41EFB8D9516DEBFB0EF05201F1044A6C099E7192EB705A04CBA2

Function 02CD6BE0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd46f580dcdd6238a8ed9aedd1d1a5ae2f68f0ffb2a3aa413e8ac4cf5b991da
Instruction ID: 55f9f37bd366ad6fafe38872e619e63fc2fd7908ee93732555445211cf099f4c
Opcode Fuzzy Hash: 6cd46f580dcdd6238a8ed9aedd1d1a5ae2f68f0ffb2a3aa413e8ac4cf5b991da
Instruction Fuzzy Hash: 55E0C232301126ABDF14255EB1103FA36CCDB80269F1888B6EA0DC3250EB1BC941D791

Function 02CDB060 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd705fd1ed02321b78df9ac430190542b7a2fe16756633119754edf54d89b9d
Instruction ID: 5caeb4db5f43ba75263c7256a3641b60d698a93d1a0d71bd896f0f083868b8a5
Opcode Fuzzy Hash: 3cd705fd1ed02321b78df9ac430190542b7a2fe16756633119754edf54d89b9d
Instruction Fuzzy Hash: 5CE0ED71D0021A9FCB44EFA8DA416DEBBB4EB08210F104566C559F3244F7706B05CBA2

Function 02CD1068 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f890043c4836aece739c88fa88e3e03cd35d16d115c11d64a522c920215f35
Instruction ID: 365fa1b944790874a4f786b52132362c05342850eb950762679f9fa659d017d7
Opcode Fuzzy Hash: d8f890043c4836aece739c88fa88e3e03cd35d16d115c11d64a522c920215f35
Instruction Fuzzy Hash: EDD01732A4520DABCB10EEB099015AAB7ECEB49105B5406EAAD0DD3200EA32DA119BD1

Function 02CD1063 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e7ef41fdc032769f7e32579fa9817c9efd8220386345248caf52e113d34a1d
Instruction ID: d645840c3d5cfe2018ad4c422b03699ef27dacbdbe93f9affdeb61b218be927e
Opcode Fuzzy Hash: a9e7ef41fdc032769f7e32579fa9817c9efd8220386345248caf52e113d34a1d
Instruction Fuzzy Hash: A2D05B31944209EBC701EFB0DD015DAB7E89F05215F1406E6D909D7101EB33CA01DB81

Function 02CD13F8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1af014253118e6e7aa86b1ca976efba46b26e8b58e8ecb1b45e311a2ef2e06b
Instruction ID: e31b8c556473f643bb8e9fbf54b1711fc4d1ee4051837febf3d259458ba9b355
Opcode Fuzzy Hash: a1af014253118e6e7aa86b1ca976efba46b26e8b58e8ecb1b45e311a2ef2e06b
Instruction Fuzzy Hash: A5D01270D02108EFCB40DFA5EA0555DB7F9DB44204B1045AAD408E3300DA315E049B50

Function 02CD0840 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba06850518b929510ecef740c1cc980feb4e61badce9f624fe128e911c193fbc
Instruction ID: 0f5cd845ed054d075d51ba788b4b52fb27f02adedbd6b5a92560c08a72dcbbee
Opcode Fuzzy Hash: ba06850518b929510ecef740c1cc980feb4e61badce9f624fe128e911c193fbc
Instruction Fuzzy Hash: 37C02B1040EB8C4FF3C237146D14F293F495717391F4400E18D1CCE1C3E5040C008B11

Function 02CD0D1B Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10c5dd29a8ed5b253fade21310fe030c8b308a7917b11f4b4db380af6b6cac1
Instruction ID: 37bcd5d2789d3fd39274451de8f1706aaaa226ef612b0205fd238d0141ecbd34
Opcode Fuzzy Hash: d10c5dd29a8ed5b253fade21310fe030c8b308a7917b11f4b4db380af6b6cac1
Instruction Fuzzy Hash: 4BB01211918EC142C606022404400D53F50B8C74703C847C4C1D84D8F1C30D0403F509

Function 02CD6BB1 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29fbad1e339a438c64493054d1cbf19649f3a954cef14ebdf5748c041766631b
Instruction ID: b1d3eb0c0c35136b188d3b748ffcba0e734a83bb45840881d54315ce7411032e
Opcode Fuzzy Hash: 29fbad1e339a438c64493054d1cbf19649f3a954cef14ebdf5748c041766631b
Instruction Fuzzy Hash: DFB0922C8610084B9D40FF09D1894462B59FA417503549341980882324CB20D402AF40

Function 02CD0850 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b328f82ec1ed73916dbbd213ae586329a94ee559105c8e9a916f626619cc54b
Instruction ID: 4449e7573bb64bb64ce2aac8d82baaacb73cf0936a98c07fa6a7e3a2876055b8
Opcode Fuzzy Hash: 2b328f82ec1ed73916dbbd213ae586329a94ee559105c8e9a916f626619cc54b
Instruction Fuzzy Hash: 5F90223088030C8B080023803008B28330CA0800303C00000A00C000000A0028208C80

Function 02CD0488 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1731368891.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2cd0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c80b21fe21bb6b0290d2f4f1612a858c4daddd274d075e8b5c6a9c54b165a115
Instruction ID: 3a654154761fd3ac534e9c6ad6be849d8fd80064f862c4d53fd359885c135ae6
Opcode Fuzzy Hash: c80b21fe21bb6b0290d2f4f1612a858c4daddd274d075e8b5c6a9c54b165a115
Instruction Fuzzy Hash: 97A002B0E410058BCE04DF26EB9963AFF61BBC4361B469795D60F4E156CB21A851CF80

Analysis Process: MSBuild.exePID: 6868, Parent PID: 6696COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	268
Total number of Limit Nodes:	17

Executed Functions

Function 074022C0 Relevance: 4.1, Strings: 3, Instructions: 339
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ckk^, xrefs: 0740245F
#kk^, xrefs: 0740258D, 07402592
3kk^, xrefs: 074024C3

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID: #kk^$3kk^$Ckk^
API String ID: 0-3358038418
Opcode ID: 7ba06c0a0275e975f8f169ffc08d887a6f601195c2cba89f2e099cbb824dc1c2
Instruction ID: b4554d72bf3e8144fe10a1ede9eb54ae4b00c65c95093a9e2638db0ac0f0c6d6
Opcode Fuzzy Hash: 7ba06c0a0275e975f8f169ffc08d887a6f601195c2cba89f2e099cbb824dc1c2
Instruction Fuzzy Hash: 93D14BB4B00206DFDB14DF68D594A9EB7F2FF88300B158469E8099B3A1DB75ED42CB91

Function 073D5A40 Relevance: 2.9, Strings: 2, Instructions: 378
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XX^q, xrefs: 073D5D51
XX^q, xrefs: 073D5EA3

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID: XX^q$XX^q
API String ID: 0-1102689228
Opcode ID: 427e65366c3e83ff2cb3f4caecf7473f29f27acf894621e11b00079d1c37a3bd
Instruction ID: 65cd82aeffc6efaea8ecf473af773c19fa57d4672a1d81c23ae5a635ef393c20
Opcode Fuzzy Hash: 427e65366c3e83ff2cb3f4caecf7473f29f27acf894621e11b00079d1c37a3bd
Instruction Fuzzy Hash: 6ED1A0B17002069FEB14EF79E49466DB7A2FFC4310F10C929C51A9B7A4DB70EC598B91

Function 07407218 Relevance: 2.5, Strings: 1, Instructions: 1269COMMON

Download Yara Rule

Strings

,7bq, xrefs: 07407857

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID: ,7bq
API String ID: 0-2588767232
Opcode ID: 9cc0508789e90d9970aae04b623f625d4d3832774ef78b1af076f1f4cc105eb9
Instruction ID: 292eab2bac883905c835cca2bc0034a772204a89b8b739489688cee89e93f22e
Opcode Fuzzy Hash: 9cc0508789e90d9970aae04b623f625d4d3832774ef78b1af076f1f4cc105eb9
Instruction Fuzzy Hash: 2B9290B0B402069FDB19ABB8945466E7BE7FFC8340F24846AD406DB3D5DE75DC428B82

Function 06E382B9 Relevance: 1.8, APIs: 1, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2381922634.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca4a383f1b2cfd9505afab9a3c33c6ea87087b15abcbe464f8944b602b7212dd
Instruction ID: 609bc7ad928b00057796720ed2ad8d5878dd688d5427c5512d2574e5022e318e
Opcode Fuzzy Hash: ca4a383f1b2cfd9505afab9a3c33c6ea87087b15abcbe464f8944b602b7212dd
Instruction Fuzzy Hash: ADD12870E103198FDB54DFA9C948BAEBBF2BF84304F159568E405AF2A5DB70E945CB80

Function 072E0710 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\Vl, xrefs: 072E09C7

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID: \Vl
API String ID: 0-682378881
Opcode ID: b748c75b2723b3ea4be2f84e5f32a0429f563e54947a663e794ececf6d5f8326
Instruction ID: 312661ab49a86ecf1b351ea858abd336404ef78444226eb1dcb5144ae2cd99bc
Opcode Fuzzy Hash: b748c75b2723b3ea4be2f84e5f32a0429f563e54947a663e794ececf6d5f8326
Instruction Fuzzy Hash: B0B151B0E1020ECFDB20CFA9D8857EDBBF6AF48704F648529D415A7254EBB49846CF91

Function 074006B8 Relevance: .9, Instructions: 922COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce84469aebd0d6d15af6de69fc9d8cc2c3621edc3c2f35751c27cdfcac90f35
Instruction ID: 1e9f6d9021cce57179411881f30143f037b5ac57cdc2033d47ed7defe5774999
Opcode Fuzzy Hash: 2ce84469aebd0d6d15af6de69fc9d8cc2c3621edc3c2f35751c27cdfcac90f35
Instruction Fuzzy Hash: 86727DB5700206DFDB14DF68D494AAEBBB2FF88310F148569E8069B3A1DB35EC45CB91

Function 072EE2F8 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d862feb28999dfcd9dae26ddf66314d11b4f73ab73c79ad311906b4508c2a8f
Instruction ID: c8a133767fbcee3a041dc40203d385feacfadca1af14b7fd8ea3ac1a3f9a3d38
Opcode Fuzzy Hash: 0d862feb28999dfcd9dae26ddf66314d11b4f73ab73c79ad311906b4508c2a8f
Instruction Fuzzy Hash: 31623C74B00219CFDB54DF64D998BADBBB6BF88300F1084A9D40AAB395DB34AD85CF51

Function 0740B818 Relevance: .6, Instructions: 623COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d11a5a48c1e84513b0e7ae57d9f438da88c4314fe14d6868472f6fe9434250a4
Instruction ID: 1ac23f259634d5a215fa51e59862cc01c6542135354e1f356540782caed2cf5e
Opcode Fuzzy Hash: d11a5a48c1e84513b0e7ae57d9f438da88c4314fe14d6868472f6fe9434250a4
Instruction Fuzzy Hash: 0B22DEB0B003459FD7159B78D854AAEBBB6FFC5210B1484AAD80ACB392DF34DC45CB95

Function 07402700 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a5d8cfc01eb5b2939ef399986570100ef82380533778e35d863660086774b9a
Instruction ID: 2a95f80de11a3685d1f6112ad2f99bff3c855e30cd03bb03feb49969bbb01ecf
Opcode Fuzzy Hash: 9a5d8cfc01eb5b2939ef399986570100ef82380533778e35d863660086774b9a
Instruction Fuzzy Hash: 48D1A3757002059FDB05DF78C858AAEBBBAFF89350B1480AAE505DB3A1DB35DD42CB90

Function 073D3FC8 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8722f7d9a48472b7f081377c0606efd06bbfa3e1f3030f6fad9bc0ef939b4b9b
Instruction ID: df1a4394669785e69a7729451b987770269852813b86d915f8e735cf18b55572
Opcode Fuzzy Hash: 8722f7d9a48472b7f081377c0606efd06bbfa3e1f3030f6fad9bc0ef939b4b9b
Instruction Fuzzy Hash: 3BC182B1700247DFEB14DF79E884769B7A2FF84250F00C928D91A9F664DB70EC958B91

Function 072E0FE0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e1d6cf73559ae555bba242e3ebe9291d6254a7a04e19acd5a656436068b8c39
Instruction ID: 3d4eb502301b8445840dc2065de5835523dd242ce2d41d29a80aa0ba4dcab86f
Opcode Fuzzy Hash: 4e1d6cf73559ae555bba242e3ebe9291d6254a7a04e19acd5a656436068b8c39
Instruction Fuzzy Hash: FCB16DB0E1020ECFDB10CFA9C8817ADBBFAAF48314F548539D815EB294EB749855CB81

Function 0166E340 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0166E3CE
GetCurrentThread.KERNEL32 ref: 0166E40B
GetCurrentProcess.KERNEL32 ref: 0166E448
GetCurrentThreadId.KERNEL32 ref: 0166E4A1

Memory Dump Source

Source File: 00000003.00000002.2364217063.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1660000_MSBuild.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b2f633c1bd488b427abe146e645282b19329517dfea73b3ecf6272d6b1c8f8b8
Instruction ID: b6348234ef3139814ea86eb0c98629c2d84aff3df90e3223515a1b1fa45bc005
Opcode Fuzzy Hash: b2f633c1bd488b427abe146e645282b19329517dfea73b3ecf6272d6b1c8f8b8
Instruction Fuzzy Hash: 355167B09013498FDB14DFA9D948BAEBFF5EB88304F20C469E459A7360DB355844CF65

Function 0166E350 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0166E3CE
GetCurrentThread.KERNEL32 ref: 0166E40B
GetCurrentProcess.KERNEL32 ref: 0166E448
GetCurrentThreadId.KERNEL32 ref: 0166E4A1

Memory Dump Source

Source File: 00000003.00000002.2364217063.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1660000_MSBuild.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 601e6215c0b0373004938415c259d4848409a8ff730669c7fcfd01b1ba1d2983
Instruction ID: 51edaa8d1f65abbff8d6843263885a7e3b293347d038c53de704efeb4fcca61f
Opcode Fuzzy Hash: 601e6215c0b0373004938415c259d4848409a8ff730669c7fcfd01b1ba1d2983
Instruction Fuzzy Hash: 835156B0901349CFDB14DFA9D948B9EBBF5EB88304F20C429E458A7360DB359844CF65

Function 073DDE18 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

(bq, xrefs: 073DDE59
(bq, xrefs: 073DDEA7

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: e3e695d5b7c150b98f6feb2c4ab0e47fe5f74a41ea570cc7cdb6c1fa38f3c7dd
Instruction ID: fec30ebfd1a63fd48d7ecaacc498b0d8d29120138009b5c4fbea426deb1bd77e
Opcode Fuzzy Hash: e3e695d5b7c150b98f6feb2c4ab0e47fe5f74a41ea570cc7cdb6c1fa38f3c7dd
Instruction Fuzzy Hash: 14516AB27053914FD3165738B4247AE3FE5BBC2211F0885ABD049CB796CF248D0987D2

Function 072E66E8 Relevance: 2.6, Strings: 2, Instructions: 91COMMON

Download Yara Rule

Strings

4'^q, xrefs: 072E67AE
4'^q, xrefs: 072E67C0

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: fdf002efe36e39e2b82800e1fe79778ea4a7c2d61b507a243ec507bc740a8b80
Instruction ID: 7e83210fe501ae0d992066aa34b1a3ddbbed19bce1a29eaf106e5123d2821151
Opcode Fuzzy Hash: fdf002efe36e39e2b82800e1fe79778ea4a7c2d61b507a243ec507bc740a8b80
Instruction Fuzzy Hash: C02143717003514FD3196B38A51912E7BEBEFC5310B1088BEC806CB396EE35CC4A8791

Function 072E67F4 Relevance: 2.5, Strings: 2, Instructions: 45COMMON

Download Yara Rule

Strings

4'^q, xrefs: 072E67AE
4'^q, xrefs: 072E67C0

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 5f32e31a5485355d73669c54da3d041c6b8361edb07820634d50bab3bf411ea6
Instruction ID: 6762cbbd86f10c91bc99ba5131dbc49eadf3ce3dc733c3cb319a732081289897
Opcode Fuzzy Hash: 5f32e31a5485355d73669c54da3d041c6b8361edb07820634d50bab3bf411ea6
Instruction Fuzzy Hash: A8017DB140A3528FC3169B79E951096BFE5FE96600344C5BFC486CB636DB64E84EC3A1

Function 072E6D18 Relevance: 2.0, Instructions: 1980COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20b7246c963de6c44588a67394a2c6695aa7b52f3d06caa72c3b3413f23127c8
Instruction ID: b8002c1c28a97c24dc9842c36e463c812fcc539953d6e93229d5e9232818339a
Opcode Fuzzy Hash: 20b7246c963de6c44588a67394a2c6695aa7b52f3d06caa72c3b3413f23127c8
Instruction Fuzzy Hash: D5231075A12204EFCF666F64D628659B732FF4A34AB20846BDD0267760CB7E9D42DF00

Function 072E6D28 Relevance: 2.0, Instructions: 1978COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab0aaf143af5d7071b3e5e8b7cbeb972f70d9457ad53755a71b4e194e7574acc
Instruction ID: 2ec9b6e5075ca76d88b0b7d1af0c4626ff97d1be1b4152313ced7050b01e9861
Opcode Fuzzy Hash: ab0aaf143af5d7071b3e5e8b7cbeb972f70d9457ad53755a71b4e194e7574acc
Instruction Fuzzy Hash: D6232075A12204EFCF656F64D628659B732FF8A34AB20846BDD0267760CB7E9D42DF00

Function 06E32018 Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06E3227E

Memory Dump Source

Source File: 00000003.00000002.2381922634.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e30000_MSBuild.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 09b710c2e98d19c15eb0658683d928527f7cab46210cc91c50214c4b3707093f
Instruction ID: 290e3fe54869a24dd1fcf34772d3906a699d3ce87ea0acd4cb2ad927fe703cbe
Opcode Fuzzy Hash: 09b710c2e98d19c15eb0658683d928527f7cab46210cc91c50214c4b3707093f
Instruction Fuzzy Hash: 16816370A00B158FD7A4DF29D54879ABBF1FF88304F008A2DD58A9BA50DB75E949CF90

Function 06E310D0 Relevance: 1.7, APIs: 1, Instructions: 181libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,06E322F9,00000800,00000000,00000000), ref: 06E324EA

Memory Dump Source

Source File: 00000003.00000002.2381922634.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e30000_MSBuild.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: aeb823b0dcdf96520d41fcd4673fe3e03b637ff2bd52c215861452e3a30ec55a
Instruction ID: 6bb3dc9292e47ff4edf2b1ca33ec8d7e770dfc40e8d8770f8a9fc14d29542b59
Opcode Fuzzy Hash: aeb823b0dcdf96520d41fcd4673fe3e03b637ff2bd52c215861452e3a30ec55a
Instruction Fuzzy Hash: 52619B71A003298FCB90DFA9C948AEEBBF5AF89314F14806DD905D7361CB71E945CBA1

Function 073D3460 Relevance: 1.7, Strings: 1, Instructions: 427COMMON

Download Yara Rule

Strings

(bq, xrefs: 073D3941

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 6cc70a986b7cd5f56c4f8676701f705768bf742c6b4d75c78739c6eb40d7eae3
Instruction ID: f2ac92239491e1874696a862a1d77645329f2da781a431cf5ed9bb374763df69
Opcode Fuzzy Hash: 6cc70a986b7cd5f56c4f8676701f705768bf742c6b4d75c78739c6eb40d7eae3
Instruction Fuzzy Hash: 32F15BB5A00206CFDB14DF69E484AADBBF6FF89310F158469E40A9B351DB34EC45CB91

Function 072E19A0 Relevance: 1.7, Strings: 1, Instructions: 422COMMON

Download Yara Rule

Strings

}k^, xrefs: 072E1EFC, 072E1F01

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID: }k^
API String ID: 0-2436555042
Opcode ID: 34d163f736b7dfd3d1f0868ee5da91d741e6ff6c643913761fd88b84731711f5
Instruction ID: 77d9738b1736a054cc9ff98aa7f6b60041e200b97754877df871ea3c977b17d3
Opcode Fuzzy Hash: 34d163f736b7dfd3d1f0868ee5da91d741e6ff6c643913761fd88b84731711f5
Instruction Fuzzy Hash: F60268B0A10209CFDB18EF76E44455DBBB6FF88301B60416DD8169B3A4DB39ED86CB85

Function 05B52F50 Relevance: 1.7, APIs: 1, Instructions: 157threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 05B53010

Memory Dump Source

Source File: 00000003.00000002.2379298573.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b50000_MSBuild.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: baef1f61e4b32dedd4c422a68f77dcf5b1016ab327c97918540c98b542ac1450
Instruction ID: ad79cd62302a7ebec4762f810c59f76b055f4abf1bcf6be0b08ba0b6c339840a
Opcode Fuzzy Hash: baef1f61e4b32dedd4c422a68f77dcf5b1016ab327c97918540c98b542ac1450
Instruction Fuzzy Hash: 05614A70A04209DFDB18DFA9D498BADBBF1FF48350F148499E801AB391CB79A885CF50

Function 05B516D0 Relevance: 1.7, APIs: 1, Instructions: 154threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 05B53B04

Memory Dump Source

Source File: 00000003.00000002.2379298573.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b50000_MSBuild.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 59210e10f0c7e3e2f110e735a5ce519d4aabec752f78b457b2f7dd9312a0c21f
Instruction ID: 9eccff81f79df577faf952028a906d234793ee4a67e5c07697284beaf4ad582d
Opcode Fuzzy Hash: 59210e10f0c7e3e2f110e735a5ce519d4aabec752f78b457b2f7dd9312a0c21f
Instruction Fuzzy Hash: 2E515B70A002448FCB28DF59C548BAEBBF2FF44360F148899D855AB391D735B841CBA4

Function 06E33C30 Relevance: 1.6, APIs: 1, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2381922634.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7434b31573ab803916290cd290ae9364992e4a1783bb21ebf6cd544184c1a0ed
Instruction ID: 75cfddd1b28e2576ce0841a0a262b9184e256ec96620790b608ce5c19691f170
Opcode Fuzzy Hash: 7434b31573ab803916290cd290ae9364992e4a1783bb21ebf6cd544184c1a0ed
Instruction Fuzzy Hash: BD511EB1C00398AFCF55CFA9C984ACDBFB6BF48304F14816AE808AB221D7319945CF90

Function 073D7988 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

(bq, xrefs: 073D7A6C

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 4e37fb9420c93535ccd7a151d37aa28dc5f1889c30e6eb077f007d6ba41b282b
Instruction ID: 07427350450cb6ca5c9834e48114a5d10ca7f4d821a7fe0ba5508afcaf3c4c7b
Opcode Fuzzy Hash: 4e37fb9420c93535ccd7a151d37aa28dc5f1889c30e6eb077f007d6ba41b282b
Instruction Fuzzy Hash: A7D133B2B042568FD715DB78E4446AEBBF6EFC1310B1481AAE809CB751EB34ED41CB91

Function 06E33C85 Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06E33DA2

Memory Dump Source

Source File: 00000003.00000002.2381922634.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e30000_MSBuild.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: cf33e47562ebef9efeb9b29fe33ebb36b36949640b2353a5c805fe75023b1483
Instruction ID: b454ffc7e7c6807e31481948ed6eb3c64aca75811d1777ddb63cd94cc09e7cc0
Opcode Fuzzy Hash: cf33e47562ebef9efeb9b29fe33ebb36b36949640b2353a5c805fe75023b1483
Instruction Fuzzy Hash: 1451DFB1D003599FDB14DFA9C984ADEBFB5FF88314F64852AE818AB210D7719885CF90

Function 06E33C90 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06E33DA2

Memory Dump Source

Source File: 00000003.00000002.2381922634.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e30000_MSBuild.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f701c3455484e9d731d4ef67e8c04768a9b3fc47234875409d298e6b98716459
Instruction ID: 04dc8864f55de6e85ff5045372c39fb5a7181a4b5f929ed2ca9c7781c33b8b2f
Opcode Fuzzy Hash: f701c3455484e9d731d4ef67e8c04768a9b3fc47234875409d298e6b98716459
Instruction Fuzzy Hash: 6941CFB1D003599FDB14DFAAC984ADEBFB5BF48314F64852AE818AB210D7719885CF90

Function 0166C8AC Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 0166C969

Memory Dump Source

Source File: 00000003.00000002.2364217063.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1660000_MSBuild.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5bf264058d562378588ce60ad6068ff37b15aee0fd9f893f4d58ce5f938188e3
Instruction ID: 3f9f75a38655aa49f627682be1b803c9cf17d95224f55269bb01238c792b030d
Opcode Fuzzy Hash: 5bf264058d562378588ce60ad6068ff37b15aee0fd9f893f4d58ce5f938188e3
Instruction Fuzzy Hash: BC4102B0C00719CFDB24DFAAC944BDEBBB9BF48304F24816AD448AB255DB756945CF90

Function 06E3285C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06E36151

Memory Dump Source

Source File: 00000003.00000002.2381922634.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e30000_MSBuild.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: ed225d95294d9bee317741064522e8d162da1a3a59537e542979532ef9a28029
Instruction ID: cca274bcb2ef842db59127eb46d86d2374fea19ec435cf584e4902a5f6c7b8fe
Opcode Fuzzy Hash: ed225d95294d9bee317741064522e8d162da1a3a59537e542979532ef9a28029
Instruction Fuzzy Hash: D04127B4A00319DFDB54CF99C889AAABBF5FF88314F24C459D519AB321D770A845CFA0

Function 01667894 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 0166C969

Memory Dump Source

Source File: 00000003.00000002.2364217063.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1660000_MSBuild.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 963967268127f9ec14735cb2f88996814b2c6a7ec87dc216c009a9c511931404
Instruction ID: b565382032adbee5f132a3687a93284df9601cab77153fb727198e92a7e205e7
Opcode Fuzzy Hash: 963967268127f9ec14735cb2f88996814b2c6a7ec87dc216c009a9c511931404
Instruction Fuzzy Hash: 3741D1B0C00B19DFDB24DFAAC844B9EBBF9BF48304F24816AD448AB255DB756945CF90

Function 05B5345B Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 05B534EA

Memory Dump Source

Source File: 00000003.00000002.2379298573.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b50000_MSBuild.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e9b6fd57fcc3c7977f2a5ed98bb480e6f9070f0cbb6cbf361d202bc212bfface
Instruction ID: 457cc4dc5c6ed7da9a20d50e73c90bce03f0ec7b9e6cb4036679232a6c74d6c6
Opcode Fuzzy Hash: e9b6fd57fcc3c7977f2a5ed98bb480e6f9070f0cbb6cbf361d202bc212bfface
Instruction Fuzzy Hash: CB2153B4A0024A8FCB00DFA9D444B9EFBF1FB48314F14C569D829AB311C334A988CFA1

Function 05B53550 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 05B535C9

Memory Dump Source

Source File: 00000003.00000002.2379298573.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b50000_MSBuild.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 4ff603e23229d6d4bf78e8585678e97a1210a0eaa81300e12d0d1a18efdbb5fc
Instruction ID: a6e1211289b079f4200f31246a37e6161c89f42b2dfd82e588aa3961119c3703
Opcode Fuzzy Hash: 4ff603e23229d6d4bf78e8585678e97a1210a0eaa81300e12d0d1a18efdbb5fc
Instruction Fuzzy Hash: 8C2138719002198FDB14CFAAC844BEEFBF4FB88320F14842AD855A7390D778A945CF65

Function 0166E590 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0166E61F

Memory Dump Source

Source File: 00000003.00000002.2364217063.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1660000_MSBuild.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ba7ed57668546bcbd20d94b61c6f1fbd4ab38b1e267e3902243ff0632aca1048
Instruction ID: 691f9b3c229884297008ba990cb3863fa2dca0ac936dbc08a5abc7d3b0891c7a
Opcode Fuzzy Hash: ba7ed57668546bcbd20d94b61c6f1fbd4ab38b1e267e3902243ff0632aca1048
Instruction Fuzzy Hash: 682114B5900258AFDB10CFAAD984AEEBFF8FB48310F14801AE954A7310D375A954CFA4

Function 0166E598 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0166E61F

Memory Dump Source

Source File: 00000003.00000002.2364217063.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1660000_MSBuild.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7d6bf95fe965878e731db17ff12311373128e57ed091bf1d67243393acd6ec1b
Instruction ID: fb0d4f39f1a58362349fe81a0798ee07608b4620480245b0f959564a0cd0fd1a
Opcode Fuzzy Hash: 7d6bf95fe965878e731db17ff12311373128e57ed091bf1d67243393acd6ec1b
Instruction Fuzzy Hash: 3E21E4B59002589FDB10CF9AD984ADEBFF8EB48310F14841AE914A3350D375A944CFA4

Function 05B53558 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 05B535C9

Memory Dump Source

Source File: 00000003.00000002.2379298573.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b50000_MSBuild.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 88bd4d921a767757bfa22e63b40a2b39f655ca2fe1a70189e7f500105be7a414
Instruction ID: 1578cec7df5c6363ad4538d3fb4b1063dc31016c24ad977662f12190e13641e6
Opcode Fuzzy Hash: 88bd4d921a767757bfa22e63b40a2b39f655ca2fe1a70189e7f500105be7a414
Instruction Fuzzy Hash: 092138B19002098FDB14DF9AC844BEEFBF5FB88320F14842AD859A7350D774A945CF65

Function 06E32478 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,06E322F9,00000800,00000000,00000000), ref: 06E324EA

Memory Dump Source

Source File: 00000003.00000002.2381922634.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e30000_MSBuild.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 71d4210801a674161a89e98de19706dd4ee486a566ccca869fb7518497ef5445
Instruction ID: 5691ab36f64564ebc4be2dcef8c0754a92fc78bebcdc6f26d6e64b29753e5f5f
Opcode Fuzzy Hash: 71d4210801a674161a89e98de19706dd4ee486a566ccca869fb7518497ef5445
Instruction Fuzzy Hash: 3C1137B6C003189FDB10DF9AD848ADEFBF4EB48310F10842ED559A7210C379A645CFA5

Function 06E31080 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,06E322F9,00000800,00000000,00000000), ref: 06E324EA

Memory Dump Source

Source File: 00000003.00000002.2381922634.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e30000_MSBuild.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 76998ba497306cdad38699d08433b9737413df619fd1a8960520b4b25ec8ac86
Instruction ID: 12d1d56a65aaa00398e8736f668b1eb9a13bd2881b285655701f0a80551fd40b
Opcode Fuzzy Hash: 76998ba497306cdad38699d08433b9737413df619fd1a8960520b4b25ec8ac86
Instruction Fuzzy Hash: 681126B6D003199FDB10DF9AD848AEEFBF4EB48314F10842AD959A7210C375A645CFA5

Function 05B51764 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05B539FD

Memory Dump Source

Source File: 00000003.00000002.2379298573.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b50000_MSBuild.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 92dee79afcb5e9194c0103809e575901cb1af4c2e30a01719cb8e1185bd3b0c6
Instruction ID: 778af8f22ca0a355ed801f7936b5555c0b8000de54f954c5970f4251b0ccdb76
Opcode Fuzzy Hash: 92dee79afcb5e9194c0103809e575901cb1af4c2e30a01719cb8e1185bd3b0c6
Instruction Fuzzy Hash: 1211F5B5804348DFCB10DF9AC449BDEBBF8EB48360F108859E955A7350C375A944CFA5

Function 05B51680 Relevance: 1.5, APIs: 1, Instructions: 47threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 05B532A8

Memory Dump Source

Source File: 00000003.00000002.2379298573.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b50000_MSBuild.jbxd

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 8b428147ab14226c31a8f50701ee87044fbc3214ba47051a6e0ca82cfe3a4142
Instruction ID: eb082538951fb98891cc3b9b19e3f40d48f9d88b6032f6cba06a3384c66ad4b8
Opcode Fuzzy Hash: 8b428147ab14226c31a8f50701ee87044fbc3214ba47051a6e0ca82cfe3a4142
Instruction Fuzzy Hash: AD111371900349DFDB20DF89C84ABEEBFF4EB08324F108859EA55A7250C375A544CFA5

Function 06E32218 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06E3227E

Memory Dump Source

Source File: 00000003.00000002.2381922634.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e30000_MSBuild.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 91e518e7df565d55e0cf65d6bd08e21bbde09515cbedac26f05d524a9e2db99d
Instruction ID: bae4d168cdfc58d4372bf75829e870c5cc79c108477c91bbd5b9b36c438c78e8
Opcode Fuzzy Hash: 91e518e7df565d55e0cf65d6bd08e21bbde09515cbedac26f05d524a9e2db99d
Instruction Fuzzy Hash: 5A11E3B5C003598FCB10DF9AC948ADEFBF4EB48314F14841AD959A7610C375A645CFA5

Function 05910E94 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0591163D

Memory Dump Source

Source File: 00000003.00000002.2379133338.0000000005910000.00000040.00000800.00020000.00000000.sdmp, Offset: 05910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5910000_MSBuild.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 941925c1050c41f5dabdf2d094005fbfc9addda9aff3f4e1e1d1bdfdbbf02e9d
Instruction ID: 29a96591a72f68996ba47ec7a89be1328f02e3424cdca599470665f86d88615a
Opcode Fuzzy Hash: 941925c1050c41f5dabdf2d094005fbfc9addda9aff3f4e1e1d1bdfdbbf02e9d
Instruction Fuzzy Hash: C01133B09003589FCB20DF9AD548BDEBBF4EB48324F14845ADA19A7250C375A944CFA9

Function 05B53999 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05B539FD

Memory Dump Source

Source File: 00000003.00000002.2379298573.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b50000_MSBuild.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 4801dd19d689301f703d201f34af62aebd4073b8c6e5ae2c75d3b8367e24e784
Instruction ID: a167875fc989bf93da089ff0adc6bf07ce6bbf77be3b19448ef2d3e0a99b8f08
Opcode Fuzzy Hash: 4801dd19d689301f703d201f34af62aebd4073b8c6e5ae2c75d3b8367e24e784
Instruction Fuzzy Hash: 9A11F2B5800349DFDB10DF99D845BEEBBF4EB48320F20845AE959A7750C379A984CFA4

Function 05B53243 Relevance: 1.5, APIs: 1, Instructions: 46threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 05B532A8

Memory Dump Source

Source File: 00000003.00000002.2379298573.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b50000_MSBuild.jbxd

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2b0039e4503042ea567d8307fd544211b4c6a654c96e057a8f0e6351e2f28b51
Instruction ID: 1a4df2c82a10c3793503a0b412cceb927d03833370fb683afec485255c333429
Opcode Fuzzy Hash: 2b0039e4503042ea567d8307fd544211b4c6a654c96e057a8f0e6351e2f28b51
Instruction Fuzzy Hash: 5B112871800349DFDB20DF9AD84ABDEBFF4EB08324F148459D954A7640C3756544CF95

Function 059115E0 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0591163D

Memory Dump Source

Source File: 00000003.00000002.2379133338.0000000005910000.00000040.00000800.00020000.00000000.sdmp, Offset: 05910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5910000_MSBuild.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d3066f01d133f0d4b196ff89dcbf7826fb161442b169f21c0e281f785af7dae2
Instruction ID: 8931380e3dad0a36edd148cee1a5e43140f590e5db85c630d990bd25caf2163e
Opcode Fuzzy Hash: d3066f01d133f0d4b196ff89dcbf7826fb161442b169f21c0e281f785af7dae2
Instruction Fuzzy Hash: 4F1145B09003489FCB20DF9AD548BDEFFF4EB48324F148459D958A3210C375A544CFA9

Function 072E0704 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

\Vl, xrefs: 072E09C7

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID: \Vl
API String ID: 0-682378881
Opcode ID: 58be7f66e125f26907a3054367e27bc6dcbc22c4f4a6d7ec4a8a37bf191243b1
Instruction ID: 112378a17bf6be816ffd7d8d09851f0b599ff6bb95aff3b60cc5056116e57bb4
Opcode Fuzzy Hash: 58be7f66e125f26907a3054367e27bc6dcbc22c4f4a6d7ec4a8a37bf191243b1
Instruction Fuzzy Hash: 17B15FB0E2020ACFDB20CFA9C8857EDBBF5EF48704F648129D415A7254EBB49846CF91

Function 0740228F Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

#kk^, xrefs: 0740258D, 07402592

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID: #kk^
API String ID: 0-3588070202
Opcode ID: 2f8d903b14a30274403b5611f762963976f73412877c88702da0739e74d70eca
Instruction ID: 60c9231cd950923d908537b1f95e14db74f68cc930378a9ed46be5be79fbfcfd
Opcode Fuzzy Hash: 2f8d903b14a30274403b5611f762963976f73412877c88702da0739e74d70eca
Instruction Fuzzy Hash: F1918BB4A01206DFC714DF68D094A9EB7F2FF88300B15446AE845DB391DB75ED42CB91

Function 073D914A Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

(bq, xrefs: 073D9339

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: b483245945eaf00f9e8df51f5ff9d62de4ffbe20eef4abe00e32c3435a22b8fa
Instruction ID: fc8a923cf0698936fd2a6a925919a1f9c46ec09442a295409cc4fbd577db3ada
Opcode Fuzzy Hash: b483245945eaf00f9e8df51f5ff9d62de4ffbe20eef4abe00e32c3435a22b8fa
Instruction Fuzzy Hash: D67102B1B042549FD705DF79E414A6EBBF6EFC921071480AAE409CB3A1DB35EC42CB91

Function 073D92E0 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

(bq, xrefs: 073D933A

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 366259886c8930755ceb4b6ba5a263196a486e94ef390cefcf6e39c8326c2dad
Instruction ID: 8367abbb85a7e31f11eca72053586fb801ecb4666f77e6a3dde409e4b87b90e8
Opcode Fuzzy Hash: 366259886c8930755ceb4b6ba5a263196a486e94ef390cefcf6e39c8326c2dad
Instruction Fuzzy Hash: E6312272B052559FD715AB3DA018A1EBFEAEFC535071480AAE80ACB391EF35DC02C791

Function 073DB557 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

4'^q, xrefs: 073DB630

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 7cc27825d60c00793d8d091469ec974a24e3fbff74d813ca0b4702690bc7cb68
Instruction ID: 7a6ad4feed1f2303a3c68bc133686177a64fe700dd5b1dfac9a780705f6c5224
Opcode Fuzzy Hash: 7cc27825d60c00793d8d091469ec974a24e3fbff74d813ca0b4702690bc7cb68
Instruction Fuzzy Hash: F9310371249392AFC306DF78D5A0A85BFA1FF82214F1441ABD4848F2A2D774E949C791

Function 073DCCB0 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

{=nk^, xrefs: 073DCD6A

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID: {=nk^
API String ID: 0-2339049041
Opcode ID: 2a393831305d27f7caf68e907270a3d3fb141e5eb5e6eef610d6212614e2e38c
Instruction ID: 5692d2630cc5b6ea3531a9da271d4e11bb14e13e2e14076c3f4b10b97be94235
Opcode Fuzzy Hash: 2a393831305d27f7caf68e907270a3d3fb141e5eb5e6eef610d6212614e2e38c
Instruction Fuzzy Hash: AA3103B27103078FEB159F6CF9645AABBB5FF85200B00422AE409CB761EB34DD44CBA1

Function 073D20D1 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

Hbq, xrefs: 073D2155

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: 51d50f6831963594a24579b36e8e93c288439a67572c8b27dc67920ff5b700d7
Instruction ID: 396374f7adcfd95b9b2edf4ceaefe1200109314bdbc860b978511d60a0f26d5e
Opcode Fuzzy Hash: 51d50f6831963594a24579b36e8e93c288439a67572c8b27dc67920ff5b700d7
Instruction Fuzzy Hash: 6F2103B67043815FD7265A78B41167A7FB6AFC1350B0480ABEA06CB282CA26CC46D752

Function 073DCCC0 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

{=nk^, xrefs: 073DCD6A

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID: {=nk^
API String ID: 0-2339049041
Opcode ID: 9d4cf7f285e0e73fbea4994cbef8aca39cf9f4de66fa320ec7ed3dfc54ae573d
Instruction ID: d2f4d39540ee1255b3b66523126b78b4458d85661d63a6b1192a02840021f79a
Opcode Fuzzy Hash: 9d4cf7f285e0e73fbea4994cbef8aca39cf9f4de66fa320ec7ed3dfc54ae573d
Instruction Fuzzy Hash: 3131A2B27102068FEB05DF6DE95496ABBB5FFC4204B004229E409DB361DB30DC44CBA1

Function 073DB5B8 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

4'^q, xrefs: 073DB630

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 9befc977d16a14c24f4ef4ca3b147c2f643a80cccd26d7b9de49b1b561ab4545
Instruction ID: 1cb3438c55b2404a9b609e6b0e74e67f44d870d831e2342932e89fc6ac541f8f
Opcode Fuzzy Hash: 9befc977d16a14c24f4ef4ca3b147c2f643a80cccd26d7b9de49b1b561ab4545
Instruction Fuzzy Hash: 4721AEB5300606AFC704DF69E48495AFBE6FF89314B048669E84A8B765DB70FC46CB90

Function 073DE800 Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

4'^q, xrefs: 073DE8A4

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 2101520397f4da630a619a81b1310c394ad9f3fe4a93e25416c25db8809e1e6c
Instruction ID: eb6fb518029d2fa8429981867fe9a1824064b15aa0db4d39626d8e534e276c96
Opcode Fuzzy Hash: 2101520397f4da630a619a81b1310c394ad9f3fe4a93e25416c25db8809e1e6c
Instruction Fuzzy Hash: FB11E571A0828B9FDF45DBA0F5666D87FB0FB42644F1040EDC048AB612CA3A1E0A8B52

Function 073DFD00 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

4'^q, xrefs: 073DFD36

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 2d2431f84925bc76ae5de3c204cc412e8ff8bc9c66083d3d2240e12de0f15b8e
Instruction ID: e97a35bd18e6790b3e21fe5c27f5946c4e22ad42fc9a3d0c8e2d5928b35f69b5
Opcode Fuzzy Hash: 2d2431f84925bc76ae5de3c204cc412e8ff8bc9c66083d3d2240e12de0f15b8e
Instruction Fuzzy Hash: E701B9322407464FC711DF29E9509CAFBA5FF81710B409A3590568BA69DB70FD4DCBE0

Function 073DFD10 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

4'^q, xrefs: 073DFD36

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: b2a41ec5026f738577704b5561cf93302975de0ee0cb5198a769680639fec455
Instruction ID: eae3e879418a237b4b9508c09ca8d9931da2928268ed2b0f48e738aa1c7ca453
Opcode Fuzzy Hash: b2a41ec5026f738577704b5561cf93302975de0ee0cb5198a769680639fec455
Instruction Fuzzy Hash: 8F0117312506069FC724DF29D94098BF7E5FFC0710B409A3990564BA69DB70FD498BD0

Function 072E94E1 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

4'^q, xrefs: 072E94B1

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 961dd1e9a009f78d7b37097ed772a05a04331225fe17a765d18e1627ef240032
Instruction ID: bacfaf3dcdb7b74d4d7e2d31a6e428d79840c70634394852e026c06c3b817f36
Opcode Fuzzy Hash: 961dd1e9a009f78d7b37097ed772a05a04331225fe17a765d18e1627ef240032
Instruction Fuzzy Hash: A2E06DB0A0420ADFDF04DF78EA805ACB7F6FF94300B2045AAC448D7295EB315E01DB41

Function 072E9501 Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

k9Y!0, xrefs: 072E951F

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID: k9Y!0
API String ID: 0-1825060378
Opcode ID: 1a258f9819a81aea3134f13c74b2dacf708ed03060098174ee22539feebf15dc
Instruction ID: 4089f123e44d24feac547e44aef1169bfad87acd65bd9b4e6edb1e9ac50a913a
Opcode Fuzzy Hash: 1a258f9819a81aea3134f13c74b2dacf708ed03060098174ee22539feebf15dc
Instruction Fuzzy Hash: 8ED02BB26053046FEB059A6894504DABFEDCB44120F000077CA88D7242EA311D408BD9

Function 072E9510 Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

k9Y!0, xrefs: 072E951F

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID: k9Y!0
API String ID: 0-1825060378
Opcode ID: 36e9b0ec8edbbd93d519c8e907d776124cbecf7fec37ccdd52cdc0a5a76e0181
Instruction ID: 950549117056928a627ae58f871db473673e58bc31ee1cf33f7a4eda7653a720
Opcode Fuzzy Hash: 36e9b0ec8edbbd93d519c8e907d776124cbecf7fec37ccdd52cdc0a5a76e0181
Instruction Fuzzy Hash: 0ED012B26442182B5B05EAADA4505DFBF9DDB84170F00447AD50DD7645ED715A4042DD

Function 072ECC08 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9609fea2c02c7eb9c96714056dc43e168aa6f40d4fdef259bad80eec21515574
Instruction ID: cc02952771ca31171d7335b8fd6ee8ae14c88bd928b54b988e606ee9bcb7261e
Opcode Fuzzy Hash: 9609fea2c02c7eb9c96714056dc43e168aa6f40d4fdef259bad80eec21515574
Instruction Fuzzy Hash: AFE15B74A0020ADFCB14DFA4D594A9EBBF6FF88310F148529E8169B365DB35EC85CB90

Function 0740C76B Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f0119f4a346c3e3f87bf998246f255140507c30727c01625f31e17d54b0e51
Instruction ID: d867262a0785e0137d285c9783f7475ab10d7bdec6034b5939e011bf0a937c91
Opcode Fuzzy Hash: 24f0119f4a346c3e3f87bf998246f255140507c30727c01625f31e17d54b0e51
Instruction Fuzzy Hash: 3BE13DB4A0020ADFDB14DFA4D598AADB7F2FF85300F118569D416AF3A4DB709C85CB90

Function 073D5560 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3856e9b045e57d115cfa40891ac944aaab36d5fcc03f9b09ec07859f23faa2
Instruction ID: 89b54cdac2d9c79e80e9e42c0f648d7b9cdc2089579aad8bbe8b4fd072f20998
Opcode Fuzzy Hash: 9f3856e9b045e57d115cfa40891ac944aaab36d5fcc03f9b09ec07859f23faa2
Instruction Fuzzy Hash: 49D16FB1A002069FDB14DF64D49466EBBF2FF88310F148568D41AAF7A5DB70EC49CB91

Function 073D6588 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9bffd91e440febd7fe1de909c55b5550c234001a14279f7430b22c5c917b1ee
Instruction ID: 974df21742cd550553f5b2535772aeba29dcd9b17bcaa3adbf7554a779891cc4
Opcode Fuzzy Hash: d9bffd91e440febd7fe1de909c55b5550c234001a14279f7430b22c5c917b1ee
Instruction Fuzzy Hash: A5D108B5A0020ADFDB14DF64E985A6DF7B2FF84310F14C528D4199B269DB70EC89CB91

Function 072EE921 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9221c75628e08715d22532a6d997edbf9e59e759a82fe92a40ee1b5f54540e0
Instruction ID: 96f0795def16c25df6814d5dd6c3b88fd8560e908e5b86917717b6de146cdb19
Opcode Fuzzy Hash: d9221c75628e08715d22532a6d997edbf9e59e759a82fe92a40ee1b5f54540e0
Instruction Fuzzy Hash: 39D14A71A0021ACFEB54DF74D958BADBBB6BF88300F1084A9E40AA7395DB359D81CF50

Function 072E1971 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb1df14e77f918581cc333f55e7a17704653beeaf39cb91307b0f29708ac352e
Instruction ID: b93f6a10aa7635903423c402cc3a9c98bbfae7bbd0e56a6bedf8617a7a64fc54
Opcode Fuzzy Hash: fb1df14e77f918581cc333f55e7a17704653beeaf39cb91307b0f29708ac352e
Instruction Fuzzy Hash: CCC1DBB0B10209CFDB08EF79E04455D7BB6FF88301B604569D8069B3A5DB38ED86CB85

Function 072EDA10 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20919a8fba298cb8462a49d046dc57bdde0c8b55c3e3ce14daeddc5f8e68e065
Instruction ID: 7f5904df378d090d8fe643c491b1218efb05a9c12599e0824b7f6805995342a5
Opcode Fuzzy Hash: 20919a8fba298cb8462a49d046dc57bdde0c8b55c3e3ce14daeddc5f8e68e065
Instruction Fuzzy Hash: B3A1BFB57002469FDB14DF78C894A6A7BBAFF89300F1540A9E806CB3A2DB35DC41CB91

Function 0740F0D2 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa4abae31db7b439ed42093a61fe9f8b0bedde0552dee835658766db0796f45b
Instruction ID: 9601acffc7f11285eac5f32e3c3d1a6af1fcca832022750b37c9b02695454393
Opcode Fuzzy Hash: fa4abae31db7b439ed42093a61fe9f8b0bedde0552dee835658766db0796f45b
Instruction Fuzzy Hash: 95A191B4B101059FD724DF68C494AAEBBF2EF89220B15817AE805DF395DB35EC45CB81

Function 072E0FD4 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bff38f7aaa80e2c15890be00aaf01304b6733242fdd6245e00e74349e7574c5
Instruction ID: 8f40355e55453b726cdc6e8eaf125bb85cf2a070380f2ed6565661349d6fdd84
Opcode Fuzzy Hash: 6bff38f7aaa80e2c15890be00aaf01304b6733242fdd6245e00e74349e7574c5
Instruction Fuzzy Hash: AEB15BB0E2024ECFDB10CFA9D88179DBBF9AF48314F648129D815AB294EB749855CB81

Function 0740FCD0 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 217f4febbeac5df6bb9b7df0d78dd0935406987fd8d7524674d934480410610a
Instruction ID: 1c1f8b2c7e56626b0499e5b06387a8f32b383627b46e14ada6941255c40a6382
Opcode Fuzzy Hash: 217f4febbeac5df6bb9b7df0d78dd0935406987fd8d7524674d934480410610a
Instruction Fuzzy Hash: 8181A1717003058FDB259F38D458AAABBB2FF89311B14857DE4069B3A1DB35DD4ACB90

Function 073DA420 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5edcf5ea076f8463a7a93cfc17f4bdb95433f62f22c910078b9b38882a78ed44
Instruction ID: a6b5e7433ab6292dda443814e9a612236f973e8d9ef38a247d3a536e94a7b5cd
Opcode Fuzzy Hash: 5edcf5ea076f8463a7a93cfc17f4bdb95433f62f22c910078b9b38882a78ed44
Instruction Fuzzy Hash: 97916DB5B002158FDB54DF68D584AAE7BF6FF88310B1485A9E91ADB392DB30DC05CB90

Function 072E5C48 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccf8faddd3160ddbf94962672d03894673617ad914b32845ad487fcd8a719e43
Instruction ID: 47ecd5663c31d3984f08199f4476ccac5da073db56bc607073f6c650612d7c99
Opcode Fuzzy Hash: ccf8faddd3160ddbf94962672d03894673617ad914b32845ad487fcd8a719e43
Instruction Fuzzy Hash: 2971B1B1B212158FDB54AF7DA46816E3BBAFBC4340B5144A9D406EB785DE388C42CBA1

Function 072ECBF8 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bec5e8c3027f5f9eff2089fef45608fc992c5789f61334f559352a48ddbc3404
Instruction ID: a3c67d0c0b64a2c57c8f9a913fa48040d394de551396c3f1280986e22b32e2bd
Opcode Fuzzy Hash: bec5e8c3027f5f9eff2089fef45608fc992c5789f61334f559352a48ddbc3404
Instruction Fuzzy Hash: 3D810774A0020ADFCB18DFA4D59499DBBF6FF88310B158569E816AB365DB30EC85CF90

Function 072E1AAD Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9905113e5b41914572c64233a2e191b04fbe35dd34803e96aea6b90401f2c0d
Instruction ID: 13c2eb774c904d01fc00322e8844d2cd5c8d0ed3bcdec5d5be24bf100bb280ab
Opcode Fuzzy Hash: b9905113e5b41914572c64233a2e191b04fbe35dd34803e96aea6b90401f2c0d
Instruction Fuzzy Hash: 3A8176B4B10209CFDB09EF76E44451DBBB2FF89301B608469D8169B3A4DB399D86CB85

Function 073D8CB8 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eeec9926d24a72d1fa7d82a5e85a036df5d572057f39a5f4cc591096865fe14
Instruction ID: 9e1ec8a1b2ec26a8bf4a15fb8c49803bd7f309c0e1e7057da187a79c1e89b0f4
Opcode Fuzzy Hash: 4eeec9926d24a72d1fa7d82a5e85a036df5d572057f39a5f4cc591096865fe14
Instruction Fuzzy Hash: 9851C1B2B002068FEB549F7DA45866EBBE6EFC8350B148479D80ACB385EF35DC018791

Function 072EC228 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de001e03a1bd64afe2b45d6ce63c764e29efdb4c4ea9ff05838ee5bf54d87659
Instruction ID: c4e27cea7081d914ca3d8bc87e1aa4429e52397162d68d98131a5c465c2d99b8
Opcode Fuzzy Hash: de001e03a1bd64afe2b45d6ce63c764e29efdb4c4ea9ff05838ee5bf54d87659
Instruction Fuzzy Hash: 16714AB5E1030A8FDB14DFA9C4546AEBBF6BFC9300F24851AD805AB391DB709C46CB51

Function 0740EB00 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ad3667b2b67b3d778ce6814a5a62374894c4092cc56f4ec03efa7ba44f0346b
Instruction ID: 946381cf20eb978ddc9998ce92c3568fae41ae1a63624874e544eaf7081d48e0
Opcode Fuzzy Hash: 8ad3667b2b67b3d778ce6814a5a62374894c4092cc56f4ec03efa7ba44f0346b
Instruction Fuzzy Hash: 9D5118F27092218FD715EB2CE4546AABBF5EB85310714497BD809CB385DA36DC52C7D0

Function 073D9C20 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aff66edf4fa8c20f7916fab3d60649f8e4927576ab8f1fc4f0f23a1c341fef2
Instruction ID: 0bc082f950244ec7ef677d89cbf4a13316b050b7c5a190fec986b650fe6c54ac
Opcode Fuzzy Hash: 8aff66edf4fa8c20f7916fab3d60649f8e4927576ab8f1fc4f0f23a1c341fef2
Instruction Fuzzy Hash: 2C51C0B57002068FDB14DF7CD454A6ABBEAEFC82507148469E90ADB355EB31ED02CB91

Function 07405080 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f77bc82aeb69e1064c9838b028190783a172d9f479a33896fa48bdd41dea19f8
Instruction ID: 043d19a74796e176c715df5346a7acd051ddb90e4d92d2536be46d420bd72b41
Opcode Fuzzy Hash: f77bc82aeb69e1064c9838b028190783a172d9f479a33896fa48bdd41dea19f8
Instruction Fuzzy Hash: EC514DB4B002058FEB54DB69C498AAEBBF6FF89350F144469D806EB391DA35DC41CF90

Function 07404FE1 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e0b5b7e8b3c150d55b265a16ecc55c0e3786d0b407c5a89a36c78102174e57d
Instruction ID: e349a0bd3a1cff4223e0ebbdfe9cea2914976d1c6f6cf382931aa6b9de05b68b
Opcode Fuzzy Hash: 9e0b5b7e8b3c150d55b265a16ecc55c0e3786d0b407c5a89a36c78102174e57d
Instruction Fuzzy Hash: 94518D70A052498FDB15CB68C458AEEBFF5FF49310F1840AAE841AB3A1DB359C85CF90

Function 072EC010 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6af3351c4783c96f992571bbf1b24776c816be135c73780e02e6471c8f9db6cc
Instruction ID: 6ab2d8191220a55afa3a7a2477aa3b39aedf370af325978901a28a54419cec26
Opcode Fuzzy Hash: 6af3351c4783c96f992571bbf1b24776c816be135c73780e02e6471c8f9db6cc
Instruction Fuzzy Hash: 82514E75A1021AEFDB18DFA4D9449EDBBBAFF88310F104029E812AB364DB359C41CB60

Function 07409C38 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcee2b45e189aacde17036f256b0329c46371a540824928e7ea36c95f58ac0d2
Instruction ID: 02a3e39b8c6cd63e6f3a7663af9c31e3af8c36f3a9b47e8286c26ea63bf0226d
Opcode Fuzzy Hash: bcee2b45e189aacde17036f256b0329c46371a540824928e7ea36c95f58ac0d2
Instruction Fuzzy Hash: BD41E4F57082519FD715CB2CD4586AABBE5EF85360B1480BAD809CB396DB36EC41CBD0

Function 0740C5B9 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db0b3ed30956fff9bbd869d67efe2b977eb74c6fa0386b69a9a8a844c2e80a7
Instruction ID: 4a999cbb2594a51ba646a91f3c6b48f9a9d1fc022811eb0235b42cfe82763c60
Opcode Fuzzy Hash: 2db0b3ed30956fff9bbd869d67efe2b977eb74c6fa0386b69a9a8a844c2e80a7
Instruction Fuzzy Hash: BE61C4B4E0020ADFDB14DFA4D598AEDBBF1FB48300F15856AE416AF395DB709845CBA0

Function 072ECFCF Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dd1da2ba9d0d537ccedd206634031be376f0eae9caab02c0dba022d35b22211
Instruction ID: 696e0c2e8e9f80f81ba8cc30808fc9aff9dcdfabd44da92655f43c6f7aa42eb0
Opcode Fuzzy Hash: 2dd1da2ba9d0d537ccedd206634031be376f0eae9caab02c0dba022d35b22211
Instruction Fuzzy Hash: 9D51E374A0020ADFCB18DFA4D594A9DBBB6FF48310F158454E815AB365CB31EC82DF50

Function 0740C120 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f12834ccee48588ca0b74adf16ce1b7adda21b12794721d8f17b42163c55db3
Instruction ID: 3270055ffe0f8cee1b8eafa481a65a90497ef15acc543db02e0d60b2245ba233
Opcode Fuzzy Hash: 2f12834ccee48588ca0b74adf16ce1b7adda21b12794721d8f17b42163c55db3
Instruction Fuzzy Hash: 2E4125B1300241CFD7119B7DE49469ABBAAEF85350F10857AE80A87386DE39DC02CBA1

Function 0740A1E1 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c3eee7f2af9f3b1af5f1c1da5315efdfa23f2fb0d49d6135cc13c868943677
Instruction ID: 1dda048e0c422eb4b0ef58d6bb26d7b6ee1199260499ac757e4bdfdf116831ce
Opcode Fuzzy Hash: f8c3eee7f2af9f3b1af5f1c1da5315efdfa23f2fb0d49d6135cc13c868943677
Instruction Fuzzy Hash: 89518A74B006018FC729DF68E59856FBBF2FF88301B158029E8169B395DB749C46DB91

Function 07403E60 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d04038714bb6d0a14e2158f917ba2fae3c0bd8f7b9183e2c8e2168f9ca5a37ac
Instruction ID: 317fa01828fbf9aed0688d2cc0b26ad32e4374c2eedeea2f195fb9dff55e0cf4
Opcode Fuzzy Hash: d04038714bb6d0a14e2158f917ba2fae3c0bd8f7b9183e2c8e2168f9ca5a37ac
Instruction Fuzzy Hash: B941C0B1B0024A9FEB05DF69D441A6EBBA2FFC1300F14C56AD4499B395DB31DD4A8B82

Function 07408B58 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515f2df7bd6e37c383a8486eef72f859afab4a7a388386a9a6710abe1079e60b
Instruction ID: fefe8aab994b53e885d34a2d790d7d652646d560050b37077f7f190454b0c753
Opcode Fuzzy Hash: 515f2df7bd6e37c383a8486eef72f859afab4a7a388386a9a6710abe1079e60b
Instruction Fuzzy Hash: 2E41ADB43002469FCB15DF38D59886ABBFAEF893007158569E80ACB391DB36DC06CB91

Function 073DA412 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b3dde4393a1e813c33372fc6b7a625dfca690987ff14ca01d63c388266b21ab
Instruction ID: a23d9d708dca605d1839dec5d27df3b6d183ae5e51c4780ca8161d25f8530b7f
Opcode Fuzzy Hash: 7b3dde4393a1e813c33372fc6b7a625dfca690987ff14ca01d63c388266b21ab
Instruction Fuzzy Hash: 925141B56002158FDB45DF68D984A9A77F1FF89310B1585A9EC1ACF3A6DB30EC05CBA0

Function 0740E710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b793e2683aab6b38a225087bd96612e6f225e275202060a0d1547579eeca1b15
Instruction ID: 84b7dac32a9e46d792e59537532a1db54fb172b0c44142b06077b84735202fca
Opcode Fuzzy Hash: b793e2683aab6b38a225087bd96612e6f225e275202060a0d1547579eeca1b15
Instruction Fuzzy Hash: 62418074B00255CFCB14EF68D458AAEBBF2FF88300F10856AD8569B395DB34AC41CB91

Function 07407208 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe92e10f7a543fc129dcb1149cf3d5c27d3226d79ca5115aed0d3a68ad3ea431
Instruction ID: e87c0d794242121324de0f67b9c534dda9b2f6f39919285276708bc935514b02
Opcode Fuzzy Hash: fe92e10f7a543fc129dcb1149cf3d5c27d3226d79ca5115aed0d3a68ad3ea431
Instruction Fuzzy Hash: 6E4184B5B0020A9FDF15EBA8D4545EDBBB2FFC8210B10812AD415E7395DF74AC42CB91

Function 072E2130 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a4241a50c85f3b50eb0edacffe26090922f360d087770915cb9b8c865e5fbf
Instruction ID: bc736b576ecb486d835f32df0dfff332533c7f251ce3d531cb0df39699157dc9
Opcode Fuzzy Hash: 96a4241a50c85f3b50eb0edacffe26090922f360d087770915cb9b8c865e5fbf
Instruction Fuzzy Hash: D34170F0920A0ACBEB14DFA5D5497EEBBFDFB49300F604459D4427A280CBB54984CFA6

Function 073D4418 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 032390008a697d408a01ac85789645d824eaf621f58c45568cfe82ac42efc2f2
Instruction ID: f36265806b6ede98c2aab4c69121a3fec08e2e4d184cc505bb44cb347b514967
Opcode Fuzzy Hash: 032390008a697d408a01ac85789645d824eaf621f58c45568cfe82ac42efc2f2
Instruction Fuzzy Hash: 4231C0B27402658FEB549B38A41872D37BAEB89700F198869E80ECB3A1DF35DC818751

Function 073DB840 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a767d3223865a9b33db42275eae3fad22931ece135d681adeb7a8d43eaa2116f
Instruction ID: aa4447b0d63d6908ab350611441fa6698b6c76577880fc698bd00cac6cb3f868
Opcode Fuzzy Hash: a767d3223865a9b33db42275eae3fad22931ece135d681adeb7a8d43eaa2116f
Instruction Fuzzy Hash: 003145B67002458FDB059BBCB8545AEBBFAFFC9250B11006AE009DB392DF348D0587A1

Function 072EC508 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a91b5f69c740af9b09d8da635742ee1b5cc2b13e2e76d1940e4914bed3cdae9
Instruction ID: a2b14cda29a370c6127dbb6e00682e85396dfc17cd112aee62d9298c7e49bbc5
Opcode Fuzzy Hash: 7a91b5f69c740af9b09d8da635742ee1b5cc2b13e2e76d1940e4914bed3cdae9
Instruction Fuzzy Hash: 0931D070B002068FD708DB68D86477EBBAAEFC5310F5485AAD40ADB391DB36DC85CB91

Function 0740E8D8 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 640978739b22d9fba4e2d3bbaba4974339167a571e139b3fb2994719daa7ccf1
Instruction ID: adeed553a75dde45f6134271950adc089d4e817cf0eebc8b7875b052dc212d33
Opcode Fuzzy Hash: 640978739b22d9fba4e2d3bbaba4974339167a571e139b3fb2994719daa7ccf1
Instruction Fuzzy Hash: BE41AFB0B00216DFCB54EF69D8459AEBBB2FFC9210B11806AE905DB395EB30DD11CB91

Function 074068A0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d66b87edfbb790fc36b2c82a33697ceaafd95474e87e86e905ca2b83e21f9325
Instruction ID: f9789449d8cfb4dbdd08dc3ec461992425c7f3b35591c700da8ba73463d25e80
Opcode Fuzzy Hash: d66b87edfbb790fc36b2c82a33697ceaafd95474e87e86e905ca2b83e21f9325
Instruction Fuzzy Hash: 11418EB0B002569FEB54AB78951936E7BF6BF84300F1044A9D8469B7C1EA349D05CB82

Function 07406720 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549695f124fea94746ea102f2d615e6650aec137d17ad06b8053f7799ad0ff6f
Instruction ID: 2e916c2897b341ebad54c055dc2e76ad2dc99be00071c85a8da02526662ada92
Opcode Fuzzy Hash: 549695f124fea94746ea102f2d615e6650aec137d17ad06b8053f7799ad0ff6f
Instruction Fuzzy Hash: 8931D071B002469FE7549B78D459BAE7FEAFF88310F10846AE44AC7382DB759D42CB81

Function 07406891 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873bc78f814c31602aca75984ed15b8def7fc0d1fa2d5c1aeec0eb03c0a5269a
Instruction ID: 481f7b21e19cdf26f0b974f4851dd81387b08081de7549535ccf32567162c831
Opcode Fuzzy Hash: 873bc78f814c31602aca75984ed15b8def7fc0d1fa2d5c1aeec0eb03c0a5269a
Instruction Fuzzy Hash: F141BF70B013499FEB55AB78952936E7FF6BF85300F1044AAC4469B7C2EA349D45CB82

Function 07405AA7 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3abb9b8a45071ee858e4cd3fc855b9a9afed3930497c179e391cc56d2955974
Instruction ID: 252170ba750c4a45f0d9325f50e96250f031f88a29a0d1c9c906e2f059050519
Opcode Fuzzy Hash: f3abb9b8a45071ee858e4cd3fc855b9a9afed3930497c179e391cc56d2955974
Instruction Fuzzy Hash: CD41E874A00108DFDB44DFA8D959A9DBBB2FF88301F1481A9E506AB3B1DB35AD46CF40

Function 072E9320 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c780e4012ac5a34a113e0c35c6901020b1e0e79da032cc5322d5c070a83fd8c
Instruction ID: 8bdd5ee139aa84bff73e53afab78568b1d065ccd6fce41895881e9aebc25e4e2
Opcode Fuzzy Hash: 7c780e4012ac5a34a113e0c35c6901020b1e0e79da032cc5322d5c070a83fd8c
Instruction Fuzzy Hash: 7331E2B0B0424A9FEB01DB78D81876E7BB6BF85700F1080AAD441EB3D5DB789D45CB92

Function 072E657A Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5b4353d64d54ef46b29c6afa94c3de3c54a8f9b5c423b38241f2faf279d8bb
Instruction ID: e88c5c6b12d84be16d04b1a4f46d69f49b84e159be9c6992f61bf2e9439b6fad
Opcode Fuzzy Hash: ab5b4353d64d54ef46b29c6afa94c3de3c54a8f9b5c423b38241f2faf279d8bb
Instruction Fuzzy Hash: E93139B47102068FE758DF68C599AAA7BF6FF89300F20446CE5069B3A5DB3ADC41CB50

Function 072E1D39 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7719c0ed48ae0ce83c33bc7d3d50c26baf4bc6ff0e1511d5f3c089a9a6381602
Instruction ID: e9dd22da2236e492dfe34f3b2814dce200c020845b2b88378f11d2b2e55c9379
Opcode Fuzzy Hash: 7719c0ed48ae0ce83c33bc7d3d50c26baf4bc6ff0e1511d5f3c089a9a6381602
Instruction Fuzzy Hash: C04187B1B002098FEB49AFB6E44405DBBB7FFD8601B208469D806AB364DB359D42CB84

Function 073D1FB8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb7787a639c7a56071c8776aaabbd30b16f84ac18649f67cceccf7571db2d3fc
Instruction ID: d65bb6898e070509cfad4c44429a4714949fdbafe0b8614492652183482d6983
Opcode Fuzzy Hash: cb7787a639c7a56071c8776aaabbd30b16f84ac18649f67cceccf7571db2d3fc
Instruction Fuzzy Hash: 6121F6B67043518FD7255B7DE49881BBBEAEFC925131584BAE80AC7342EE35DC02C761

Function 073D3EC0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93f1c6897beca51823943436852da611ceb42f80e766e5a61442831e55cb5c95
Instruction ID: 44d1866ec4a16895ebcb9cc78c741621b13773c3a0ac2aa5bedc004a5d5fe613
Opcode Fuzzy Hash: 93f1c6897beca51823943436852da611ceb42f80e766e5a61442831e55cb5c95
Instruction Fuzzy Hash: BB31D4B6305245DFD7188F69F8849AABBE9FBC5211704842AF80AC7390DB30DC08CB61

Function 073DFDA0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5961c9bf6d962fcb787b6f7b4dcd2a4b9133d565282b12a48662b02feae919d4
Instruction ID: 503d3c0531e3ac10bbc4b49d95aa72e4c324e52f91a79aebf0af5b6434e0f475
Opcode Fuzzy Hash: 5961c9bf6d962fcb787b6f7b4dcd2a4b9133d565282b12a48662b02feae919d4
Instruction Fuzzy Hash: 27312375A002198FDB04DB99E4849DDBBF2EF8C321F189069E419A7361DB30AD91CFA0

Function 073DE9E4 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 313f3905ce3ba84d392454ed9343454671f62c70ec3b14ef74007a01346a7487
Instruction ID: 6ec8de5c0f4a1b31abd3b2ca2d0cd38cc76c425d359cdcd44e190b2da07aea07
Opcode Fuzzy Hash: 313f3905ce3ba84d392454ed9343454671f62c70ec3b14ef74007a01346a7487
Instruction Fuzzy Hash: 32312C75605321CFEB192B34B16E06C7FA9BB4A746B044569D843C7382DF3E8852CF55

Function 073D5551 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d75745959e110843640cece5a276522967bdd9daa0939c22898b8227da6d91bc
Instruction ID: 074dd94fa8c23e2192abbc855140a550004bfad51c0a3f5cf7b4cdb744fdc349
Opcode Fuzzy Hash: d75745959e110843640cece5a276522967bdd9daa0939c22898b8227da6d91bc
Instruction Fuzzy Hash: 2F319072A00205DFEB14DF64E5446ADBBF2FF88720F198528D806AB394DB70AD49CF90

Function 0740F40C Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72dc591663210f4d2df8bdd47672796270796366a29f4e2be985d74101a46f07
Instruction ID: 084130fe0ab58bfd72f1ad10d65051b4e68f5ec7e7c61b6509f95bca7ceac245
Opcode Fuzzy Hash: 72dc591663210f4d2df8bdd47672796270796366a29f4e2be985d74101a46f07
Instruction Fuzzy Hash: 67315CB0B502069FD724CF68D494FAEBBB1AF44664F14806AE805DF3E5CB34D809CB80

Function 0740E8C8 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fba7e3a56f8f6c68ace3362e7159b50fa4c5601a9aa3070e4485fef16f4bb3b5
Instruction ID: 5674c737e314945c726b6cc43a401d6be7867274d25933fd5924a9ee39044805
Opcode Fuzzy Hash: fba7e3a56f8f6c68ace3362e7159b50fa4c5601a9aa3070e4485fef16f4bb3b5
Instruction Fuzzy Hash: 6431A2B0B002169FCB54EF79D4549AEBBB2EFC5200B1580AAE945DB395EB30DD11CB91

Function 073D2887 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f91d9a1e3fc2ab7e9c786776841343378330123911399fce7748312e36e8c3f
Instruction ID: 93a90a9b82934108b727f9ae7a21f1f5828768b450826e2f2889915a5beb1184
Opcode Fuzzy Hash: 5f91d9a1e3fc2ab7e9c786776841343378330123911399fce7748312e36e8c3f
Instruction Fuzzy Hash: 6531F5716053A19FD711AF78E8955EEBFF1FF82210B0044AAE5858B261CB349849CB95

Function 072E9A97 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f88345273ba371eb036b75f3678daad6350d1b0ca541b65fba22aa80eff095
Instruction ID: ea67df77042b3d0d028d6f6bab404c0a3e63d2a7bdb07d22e1da6f3fc9afda6c
Opcode Fuzzy Hash: 56f88345273ba371eb036b75f3678daad6350d1b0ca541b65fba22aa80eff095
Instruction Fuzzy Hash: 33419C32E007468ACB11EF79D8002D9B771FF99310F25876AD0497B241EB74B9D5CB92

Function 07409B38 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0bede784ddb4d19268864a1346c518989811846ff57cb1ddae563c921aa9fec
Instruction ID: 7089e7980e860fbd33bf602798901923015572206bcdfb71432d879891d2f143
Opcode Fuzzy Hash: a0bede784ddb4d19268864a1346c518989811846ff57cb1ddae563c921aa9fec
Instruction Fuzzy Hash: 23218BF67052059FD718AA299050ABAB7E6EBC5230B24813FD809CB795DB36FC428790

Function 0740F300 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d885b7f3d62080452097926bddd4962a85d8dfead77d097fe8f6d403a5cb2961
Instruction ID: b51c79cb3c6362e69bda95bef2a0cf231890be1c8a784a0d1608af6293cab6af
Opcode Fuzzy Hash: d885b7f3d62080452097926bddd4962a85d8dfead77d097fe8f6d403a5cb2961
Instruction Fuzzy Hash: E1313074B002059FDB14CF69C494AAEBBF1EF89360F14806AE805EB394DB34DD45CB90

Function 073D28D8 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ccb944de76e219a66b663247776db5b33b860aab7316958b6c891e1df0bde6d
Instruction ID: d06784a91727911ca9db8b514566bb360cb2a94f0c6b44049d7e9e07318a8b54
Opcode Fuzzy Hash: 2ccb944de76e219a66b663247776db5b33b860aab7316958b6c891e1df0bde6d
Instruction Fuzzy Hash: 6D316F74B006069FDB249F64E98896EBBF2FF84301F008529E9169B354DB70AC09DF51

Function 072E24E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f91f86e4a8a13b5a453c14a1ded32dbd76c383e0f42fca1bf4b9faaed71fa5c9
Instruction ID: 5f1bb84910887d0fd0dd6f4e81391d20c592045b9ea64e0cd76c642663857be7
Opcode Fuzzy Hash: f91f86e4a8a13b5a453c14a1ded32dbd76c383e0f42fca1bf4b9faaed71fa5c9
Instruction Fuzzy Hash: 1B3121B0914796CFCB05CF68C9504ADBFF8FF4A314B15829AE455DB2A2D330C80ACB91

Function 0740A490 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3577b25fcea4cdb289b5a16d9cb55eb62552d4d76c7ca267d8e38db4d6ae318d
Instruction ID: b0093c940d5384ecfcac3e875a5530cb117eb0a29a00a2aa5ec1d7f8eb26aef9
Opcode Fuzzy Hash: 3577b25fcea4cdb289b5a16d9cb55eb62552d4d76c7ca267d8e38db4d6ae318d
Instruction Fuzzy Hash: 94316FB07002458FC714DF68D558AAE7BFAFF89341B1680AAE402DB394DF759C41CB90

Function 072E3BD0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 451b2cbc11681d3f3b7de7eba9923f7cd4f3f232bf61afc10c5b913b7e1c1d18
Instruction ID: 0d15a4895aa09a254aded8893da28980bdaba4a685cc96b16fc35d8c2c346fa7
Opcode Fuzzy Hash: 451b2cbc11681d3f3b7de7eba9923f7cd4f3f232bf61afc10c5b913b7e1c1d18
Instruction Fuzzy Hash: 3321D47201E3D25FD703AB3899600993FA5EE8321075A00EBC0C5CF1A7D924988DC7A7

Function 072E9AA8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16219af85c84e0bdc0355b5a5611071023375aedd119c50b21896128b8111727
Instruction ID: d52912638db8c3fd6da30f53de0bd842fb6df61ae40531ec5577b328134d5a19
Opcode Fuzzy Hash: 16219af85c84e0bdc0355b5a5611071023375aedd119c50b21896128b8111727
Instruction Fuzzy Hash: FA315932E0074A9ADB10EFB9E800299B771FF99310F21872AE55977640EB71B9D1CB91

Function 073D8340 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74eeffbe8bcc7c13221b68077d8b691817910adf56aea160af93b73e2fefadf5
Instruction ID: 9729eb5bbca80c93a2cc4db8b97a9e9c2a5e42265115e5f08da2b01ec686fb3d
Opcode Fuzzy Hash: 74eeffbe8bcc7c13221b68077d8b691817910adf56aea160af93b73e2fefadf5
Instruction Fuzzy Hash: E421B6B67042055FDB08EBBA98546EEBBE7EFC8210714803EE50ADB391DE35DC418792

Function 073D9BE0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83086c4737883dde122e38a8e49bc287550166de4fb3b2da6ef6e343ecd385af
Instruction ID: c991d1cb31a3bb0861d4f8c6afb200d7a5a7a163c123ec2f5765d404c63fec16
Opcode Fuzzy Hash: 83086c4737883dde122e38a8e49bc287550166de4fb3b2da6ef6e343ecd385af
Instruction Fuzzy Hash: 3D21D3B17082425FCB02DB7CD9909AABFE5DF86210B15806BD889DB366DB34EC0587A1

Function 073D2DD0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdb6e876df3362c8071d7f88f8d066c19052016e0a6f4a48b610fde8dbeb95a1
Instruction ID: 2b378920e130971d69e09d08592be5dae9c419df3b903c7d9f85c332f87971f4
Opcode Fuzzy Hash: fdb6e876df3362c8071d7f88f8d066c19052016e0a6f4a48b610fde8dbeb95a1
Instruction Fuzzy Hash: 7921E2763003019FD715AF35D4905AABBA6FFC9220711857ED80A8B765CF35EC85C791

Function 073D39C8 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a075554c3c4955ec9acd5bea54aeb5367e2cf7c48e83ec191f1c3cc3f242044
Instruction ID: af0dcc9585031a7002931325ab530e5bd15e174a5bdde9a0ff88272bc5422ae1
Opcode Fuzzy Hash: 0a075554c3c4955ec9acd5bea54aeb5367e2cf7c48e83ec191f1c3cc3f242044
Instruction Fuzzy Hash: 6D21D3B5F01264DFDB55AB7890192AD7BF5EF85341B0140A6D906D7381EB388E05CB92

Function 072E9E42 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 330c012b81ea06fe73f425efc54c02eaa9afadda91ad4b1922fe2bad6469a924
Instruction ID: 38bb3f56f719f71d815e6e8488ca17d353cf708c8e2dbb59eb7b5d0c14b9c818
Opcode Fuzzy Hash: 330c012b81ea06fe73f425efc54c02eaa9afadda91ad4b1922fe2bad6469a924
Instruction Fuzzy Hash: 8C21A5F07282968FFB195735B55923A3BAEAB42701F44446ED183C7683DA7F9880C752

Function 07407E48 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d2b12be06e91cd1b862bd4a10cd15b09d1c272d6c5f3b7c4ad56508a9fa46aa
Instruction ID: 6e0b4829e7dd0dcbddf301d18c8838a12a2cacbd08f039149ab8c58bd0101b1f
Opcode Fuzzy Hash: 5d2b12be06e91cd1b862bd4a10cd15b09d1c272d6c5f3b7c4ad56508a9fa46aa
Instruction Fuzzy Hash: 0121D3B07002429FCB15DFA9D9846ABBBE6FF84640B1540BAE909CB395DB30EC05C7D1

Function 0740C4E2 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac41e9567f0f8b8f55a2a8948d83be7a977914186d20c0f0ce3056a5aae670fb
Instruction ID: e10235b0382e94e38281e1ba9ea4fbd32747d2be1bbee1e4f7dd9234fd9eaf6e
Opcode Fuzzy Hash: ac41e9567f0f8b8f55a2a8948d83be7a977914186d20c0f0ce3056a5aae670fb
Instruction Fuzzy Hash: 0721AEB5200205DFCB119F69E844BFA7BB6FF89351F01846AE5158B390CB39D852CBA0

Function 073DE9F8 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c9b5c2867f3e1bad3d000d0c5e6aad618065c9d1e4cd0faab5880b7b92748cb
Instruction ID: d1a286ef7a4951a69aa1da94df2590e24a59c9212cd3f2f9a2b5c54bc9c67365
Opcode Fuzzy Hash: 0c9b5c2867f3e1bad3d000d0c5e6aad618065c9d1e4cd0faab5880b7b92748cb
Instruction Fuzzy Hash: 7021FC75315225CFEB192B38B66E02C7EAABB49746B04466DD807C7381DF3E8852CF51

Function 072E6C08 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c12967ff1ba9da0c66ec41d62bf781a8939fa7f25d9ed45b542ccb6b178996df
Instruction ID: d22492999e7d727c928c186c1c73be58a6f6d8783898efa7b4dca54e54f73016
Opcode Fuzzy Hash: c12967ff1ba9da0c66ec41d62bf781a8939fa7f25d9ed45b542ccb6b178996df
Instruction Fuzzy Hash: DC31A571E1060B8BDF11AFB9D8181AAF7B5FF94300B10C629C45AA7740EF35A985CB91

Function 073D8381 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf4f969a3788c56bb5a7529284bf9cbe95e3c41ba235ba0de345887286229913
Instruction ID: 8a25b0b945312f5513542f9149a005980c5cf921a8fa5fc79dac6883c8cb7bf8
Opcode Fuzzy Hash: cf4f969a3788c56bb5a7529284bf9cbe95e3c41ba235ba0de345887286229913
Instruction Fuzzy Hash: FA1196B57002056FCB05ABAA98555FE7BE6EBC9610B10403EF506EB391DE349D0587A2

Function 073D3EBE Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80d8c14b06d79d9f175a39f454635c55f40e74df91fd494d384f1a07ac59b2f3
Instruction ID: 4c968cfe9bfb3a709e4945b1e9053e780465cb2afab885c7569d341176d5d8d1
Opcode Fuzzy Hash: 80d8c14b06d79d9f175a39f454635c55f40e74df91fd494d384f1a07ac59b2f3
Instruction Fuzzy Hash: 7B2192B6301255DFD714CF65E4849AA7BFAFF85251B048429F856CB390DB34DC09CB61

Function 073D7977 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecb9359c2598fc46e401caaf109eb643af769a8647076d69200f342ba104de7c
Instruction ID: efbc844e7c0f79d43277309a603112283aee8660d8ac1e387a0cbd0837c5a45f
Opcode Fuzzy Hash: ecb9359c2598fc46e401caaf109eb643af769a8647076d69200f342ba104de7c
Instruction Fuzzy Hash: C821A8F3258106ABF729D629F0447AAF7B6DB42350F049156E80DCBB14D332EE918781

Function 072EB6C8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d84861041d268d269644862cb6fc816b84df69bd7dd350d7c59c6ad30d3002
Instruction ID: 1927c4bed9102037b9fd55be8430ffedf79ded8b810438fc3a19a7a63b96df43
Opcode Fuzzy Hash: 31d84861041d268d269644862cb6fc816b84df69bd7dd350d7c59c6ad30d3002
Instruction Fuzzy Hash: 6D1121323043528FD3129B78E89462A7BA6FFC1305F10083EC046CB792CA76AC49C792

Function 07403D88 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f208aa6dfb51a3514bf91fc5b1bf37b80a014502a4a7496ce7cb492c9de5723
Instruction ID: c670bd9cdac02346e2f4ad0ad51aad53749bf6df6e0b40f2905af447ce05e715
Opcode Fuzzy Hash: 9f208aa6dfb51a3514bf91fc5b1bf37b80a014502a4a7496ce7cb492c9de5723
Instruction Fuzzy Hash: 7121DBB0B002489FCB14AF7894596AE7BF2FF89300F1084A8D04ADB381DB309D06CB81

Function 073D2DE0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589588126e54d22c95a2ade1f6609802a03e1fe8396ea3d50f1c0d443ded12f0
Instruction ID: f1a1bef5ebc5a24609372b835702b892c1e12040a3a62d9e33c9bfa961b32e07
Opcode Fuzzy Hash: 589588126e54d22c95a2ade1f6609802a03e1fe8396ea3d50f1c0d443ded12f0
Instruction Fuzzy Hash: 52217CB23003019FDB18AF35D49456AB7A6FFC8211711853DD80A8B395DF34EC85CB81

Function 015DD04C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2363498186.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_15dd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f71db0b11603b242b11c738923d6fe1317395b35876c953b21ff5f9d2d9a03d
Instruction ID: 30fd9929b8216ccaa1aa8eb768577f6a78624b861abd6fb44fd898a344f7d178
Opcode Fuzzy Hash: 4f71db0b11603b242b11c738923d6fe1317395b35876c953b21ff5f9d2d9a03d
Instruction Fuzzy Hash: 9A210071500204DFDB21DFA8D980B2ABFB5FB84314F20C9A9D8094F296C336D446CB61

Function 015DD7E4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2363498186.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_15dd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d12e750bf1402a6f95762298b02df6315e1ffde3c0d7d1ebef0b01f3e548b0e
Instruction ID: ca8ba8ed214d931786edc155ce333b238118d8d5a1a809e03b951fd265201e3e
Opcode Fuzzy Hash: 3d12e750bf1402a6f95762298b02df6315e1ffde3c0d7d1ebef0b01f3e548b0e
Instruction Fuzzy Hash: 1121D071504240EFDB26DF98D9C0B2ABBB5FB84314F20C9A9E84D4F292C336D446CBA1

Function 0740C068 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1eba3083d6e962799104f3d831bb2783d30e5d1c9e337f878e1a020a6f4eef3
Instruction ID: 1fa0086aa9ec3661d12e478488b61694c18e47ef4542822e879d85f7c6aea835
Opcode Fuzzy Hash: e1eba3083d6e962799104f3d831bb2783d30e5d1c9e337f878e1a020a6f4eef3
Instruction Fuzzy Hash: A311C4727043169FC715AA7DA44446F7BEEEBC8360324857AE40AC7740EE35DC02C791

Function 0740EA18 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0f7c86445807e4e1bd11005eae18a011718dbb73876cedaed8fcca2f297f8b1
Instruction ID: 776127a789ee8adfe39b49ccd8ee4a2d346c62bd107cc880efcda418dc4cfb63
Opcode Fuzzy Hash: e0f7c86445807e4e1bd11005eae18a011718dbb73876cedaed8fcca2f297f8b1
Instruction Fuzzy Hash: 2A21C2B170410A6FC705FBA8E8506AEFBE6FFC5200B10816AD105AB3A5DF30AD4587A2

Function 072E2079 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d08adbe8c8daabfdfb258ad480cdd8d44e92980c2545603fdf96d9dde05da7d
Instruction ID: fb78ec8c4596cf63a50ae4f5628fbc3ad8569ccf077d6578562e87267f7a77ac
Opcode Fuzzy Hash: 8d08adbe8c8daabfdfb258ad480cdd8d44e92980c2545603fdf96d9dde05da7d
Instruction Fuzzy Hash: AA2179B1A2050ADFCB249BA8D8486EEBBF9FF49315F504469D506E7284D7714944CF90

Function 072E23F3 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b0158fdf8538d2822ff1ee11b775dba532aaa3c84244e94b283c492819db7d4
Instruction ID: 2a85fa1fbbbd6d677d48a692d79d366f3098c7d91b8292fc8f3c47977f4296e0
Opcode Fuzzy Hash: 6b0158fdf8538d2822ff1ee11b775dba532aaa3c84244e94b283c492819db7d4
Instruction Fuzzy Hash: 6E21E770615696CFDB55DB7498686AD3FF9FB8A200F1000A9D193DB392EB784C06C761

Function 07405338 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b59ae7575d8f89de3d324855c24adb76f11e2edc681e0c9ac68b95d975be92e
Instruction ID: cf3afce72b05781ee7a4860d1a8c4a7e16dd1865552a1722d20c33e1c52759f1
Opcode Fuzzy Hash: 0b59ae7575d8f89de3d324855c24adb76f11e2edc681e0c9ac68b95d975be92e
Instruction Fuzzy Hash: 9E210271A042598FCB15DBA8D418AEEFBF5EF89310F04417AD482B7290DBB05856CF90

Function 0740EA28 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc664e42e67ba755a129f03b4e5bc6a1f420072f3338e4335d64278b8928c2d6
Instruction ID: a1c360eada182575970d4c81edd2e2dee1e8651970572f08c71299ade203dbfb
Opcode Fuzzy Hash: cc664e42e67ba755a129f03b4e5bc6a1f420072f3338e4335d64278b8928c2d6
Instruction Fuzzy Hash: 5E1160B170010A6FC704EBA9E951AAEB7E6FBC5200F108029D505AB7A4DF71AD0587A2

Function 07409710 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e05bbe2d3d4a560eeb8355a7b183253db59e54b752a4180da38a64ac6a00e99
Instruction ID: 8f30d44824d4e08dc18dcd21d6e339b7bdbf133d7b7dec3fc0f71ec7f3a5198e
Opcode Fuzzy Hash: 2e05bbe2d3d4a560eeb8355a7b183253db59e54b752a4180da38a64ac6a00e99
Instruction Fuzzy Hash: 7411EF317043419FC32AAB38D99845BBBE6EFC520431544BAD40ACB3A7EE31DC0ACB91

Function 072E3646 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6615a00556fe14b9d071fbc6cde0af6a5a955d9f0e8f47481e01b859afb33cc
Instruction ID: c04b0b848205637a150bf721dccf2748740c6b653ae6805a6bc5fd218eed8245
Opcode Fuzzy Hash: a6615a00556fe14b9d071fbc6cde0af6a5a955d9f0e8f47481e01b859afb33cc
Instruction Fuzzy Hash: 5321A175A002059FCB54EF68EA55A5E77F5FF8D700F50406DE506A77A1CB31AC00CB91

Function 072ED34A Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a1d677239f8d5e07816b40ee7ee6d50cd7ad5c98f1d80f5a6b2e5de072b8bbd
Instruction ID: 0b26bc4cb5abff523abc35af35c70a537f4f62f0ccdd2a0699bb1378c0c20733
Opcode Fuzzy Hash: 9a1d677239f8d5e07816b40ee7ee6d50cd7ad5c98f1d80f5a6b2e5de072b8bbd
Instruction Fuzzy Hash: 3211D0B0310206AFD704EE69E884AAE7BAAFFC5240F40842DD506CF2A5DF75DC48C790

Function 073D8390 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c2155e44a48bb35ba2849e85c46b56e79ef09f8601609719f4d8fd2529412d7
Instruction ID: b78159f7d960fb79fd704783a621ea0d56cc8b25e736704b3adf143c8bccf05f
Opcode Fuzzy Hash: 2c2155e44a48bb35ba2849e85c46b56e79ef09f8601609719f4d8fd2529412d7
Instruction Fuzzy Hash: 131177B57001056FCB04BFAAD9546BE77E7EBC8650B10403EE50AEB391DE74DD118792

Function 072E3648 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceac600c7cef04a9cc326a7c6aa5a368ceb5cb6efd16342cd355b235e4df8438
Instruction ID: 58d7a19a63e08c55b210be7e598e13663849af04a9eef254fef430884877a3f6
Opcode Fuzzy Hash: ceac600c7cef04a9cc326a7c6aa5a368ceb5cb6efd16342cd355b235e4df8438
Instruction Fuzzy Hash: AF21AE75A002059FCB44EF68EA55A6EBBF5FF8D700F50406DE50AAB7A1CB31AC00CB91

Function 073D29E1 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eeb06dc8ce9e5173fbd85e7ba77e70cde51c8bedd3203396967e6c30b58f608
Instruction ID: 6b6b0b590c83fa95bff437e8b9a6e65f5579f08cd1cefb2d39cf960f877394e4
Opcode Fuzzy Hash: 4eeb06dc8ce9e5173fbd85e7ba77e70cde51c8bedd3203396967e6c30b58f608
Instruction Fuzzy Hash: 7211C8717002059FDB15AF64FC556AEBBB2FBC1611F00402AD5069B394CB71AC4ACB91

Function 074098C8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc5c52a28e31976c401aceaee116853727ed707a9302913a64aed6a0c7a942f9
Instruction ID: 969b001987f5205ecff62899a31a950b73d65b5595d9e8752a62fa9e8cc1dbbf
Opcode Fuzzy Hash: bc5c52a28e31976c401aceaee116853727ed707a9302913a64aed6a0c7a942f9
Instruction Fuzzy Hash: 3A116DB1A0060A9FC711EF69D88089EFBF5FF842107008A2AD055D7765EB30B989CBE1

Function 0740FF48 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81ea5407dbb91e33caf0c39d24fd55135cfec355049b876bd328f3ee3bfdbe7c
Instruction ID: ed01f17fd406ee69ad6d869661c4afb97d7f7438102e0e62980bf9575988f92d
Opcode Fuzzy Hash: 81ea5407dbb91e33caf0c39d24fd55135cfec355049b876bd328f3ee3bfdbe7c
Instruction Fuzzy Hash: 5611E772F443559FDB21ABB8E8081DEBBB4EF82311F14467BE50993282D734684AC791

Function 073D69C8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4943367966d7ecd7d43a477769f86add86aa390b42182afd996313818b1c217
Instruction ID: 8be67149b0c21efbb4ac33184a16676d90b43e398a1fea71e9ebb1e009217a48
Opcode Fuzzy Hash: e4943367966d7ecd7d43a477769f86add86aa390b42182afd996313818b1c217
Instruction Fuzzy Hash: 4111E3B2600245DFDB119F54F8418AAFBBAFF85250700C229E85A5B751CB30ED55CBE1

Function 073DCE11 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3880246e1c4efb1d51044d424bd0e520a079a9359c31cb0869e7eab50195fa50
Instruction ID: f647a8007e743f273a502fb5975c3c88f522905d7d246e996da9c4bd9dffb40d
Opcode Fuzzy Hash: 3880246e1c4efb1d51044d424bd0e520a079a9359c31cb0869e7eab50195fa50
Instruction Fuzzy Hash: 52212CB1E1020ACFCB05DFA8E5545EEF7B5FF48300F108569D419A7660EB389941CB91

Function 073D8CA9 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2bfd28b420156485983eb403a78c12db82d2c3d5e2719ebe0aec9819b20891
Instruction ID: c51f8571b257b10ea80982b2b5d68bf94d2c073cac4964a96807401ddcdd2868
Opcode Fuzzy Hash: 4a2bfd28b420156485983eb403a78c12db82d2c3d5e2719ebe0aec9819b20891
Instruction Fuzzy Hash: F311A9B27001055BDB14DE6ED4556AFF7EAEFC4650714802AE81DCB388EF34EC114791

Function 0740B808 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e96f8530db3a2eff6f1f444a83175ccf424e7979ea574cd506fac746cf1750
Instruction ID: 108e9a37b638dc8ac4ee04dbcda83ae29f0bf0689a840dacc3bc26359594be14
Opcode Fuzzy Hash: 03e96f8530db3a2eff6f1f444a83175ccf424e7979ea574cd506fac746cf1750
Instruction Fuzzy Hash: 28012D757042508FC716561CF4459AAFBABEFC5360314816BE8458B356CF34DC42C7E5

Function 073D7E88 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dccbad6efa2cd1553d05b2bdd1ba1739d4659caebff458e2ee2a26f15f70428
Instruction ID: a5a4597462190c5bfc26977cc03ead4a062a05bd731a215e1e03f34b1ed305d9
Opcode Fuzzy Hash: 4dccbad6efa2cd1553d05b2bdd1ba1739d4659caebff458e2ee2a26f15f70428
Instruction Fuzzy Hash: 6B01F5B23042156FD315A669A840BBF3BDAEFC5560B04806FF408CB391CE35EC0183E2

Function 072E2528 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28b8e085864e43c2a38d098344a38a3556f9e8ec8192340af2ba5f8b45b524d
Instruction ID: 9a4d250c1cbd071487289c0d762467fc749ca7b6b4df2bd6c3eae9183a0609ff
Opcode Fuzzy Hash: f28b8e085864e43c2a38d098344a38a3556f9e8ec8192340af2ba5f8b45b524d
Instruction Fuzzy Hash: 43118EB5E10A16CFCB04DFA8C58896EB7F8FF48324B608269E425D7360D770E845CB80

Function 015DD047 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2363498186.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_15dd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 1488189d8354da3895b89613ec13a0a399d99d352191c23b0b023e62d0888ce2
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 4511BE75504240CFDB22CF68D5C4B19BF71FB84214F24C6A9D8094F296C33AD44ACB61

Function 015DD7DF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2363498186.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_15dd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 7ccb905b637485d05a0879ace130cdb04fdcec887a8514116a4e4f8263bdb17a
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: E8118E75504240DFDB16CF58D5C4B19BF71FB44214F24C6A9D84D4F696C33AD44ACB91

Function 072EB6F0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c1397be96dc5f6ce277334acf3a182456f7590ae16d07d09ed0ee7ff13eae20
Instruction ID: 4ce412d727bd450b53787d9de5783435d30c3ad0037676957c63e5b55bef7806
Opcode Fuzzy Hash: 2c1397be96dc5f6ce277334acf3a182456f7590ae16d07d09ed0ee7ff13eae20
Instruction Fuzzy Hash: C301CE763003129FD7149A74E54462ABBAAFBC4705F00443CD10A8B781CEB6AC458751

Function 073D69D8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef9b13a7008a9eb18124173ad2a25ac91c06532977d514b230bae387a46b843d
Instruction ID: 0ad64dfed877fce3e700e2ef97926d27c2fcfed547bfe18efc1b3e8dd7422928
Opcode Fuzzy Hash: ef9b13a7008a9eb18124173ad2a25ac91c06532977d514b230bae387a46b843d
Instruction Fuzzy Hash: 551170B1600215DFDB14DF55E84186EF7BAFF84250B008529E85A9B750CB30ED55CBA1

Function 074043E0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbdea67ab7c662582d6a7fe949f060b2cd83868c64084ee94db1eb39e5bc6eab
Instruction ID: 0d4c619e4dc253ae2c738912efa4f7b5e34b5d8bff5cbc60ba6436d776e20a57
Opcode Fuzzy Hash: bbdea67ab7c662582d6a7fe949f060b2cd83868c64084ee94db1eb39e5bc6eab
Instruction Fuzzy Hash: B5016DB17403855FDB21AB28A8426BEBBA6DFC1315F04402AD1098B282CE3498468751

Function 072E2428 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7edcc1c3d4044ad0757d8174e61ad1689a69decc1381e9baf1c0fcd7a662187e
Instruction ID: b0c5f63f98f38e290be3cd60947f2cd0e4662a5574076fd7a2fa5263f6945bbf
Opcode Fuzzy Hash: 7edcc1c3d4044ad0757d8174e61ad1689a69decc1381e9baf1c0fcd7a662187e
Instruction Fuzzy Hash: AD018070710625CFDF54EB78C81869E7BFAAB8C200F100428D503EB390EBB95D008BA5

Function 072EAE60 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64cd04adee419164a1cd59f716850f94bd04589712aad15773d94af2d1dff63
Instruction ID: e4d4634a4597ef2d0caa78b2225e10f2dc285ebefbf9b49ab6f9fa2293d9df0e
Opcode Fuzzy Hash: d64cd04adee419164a1cd59f716850f94bd04589712aad15773d94af2d1dff63
Instruction Fuzzy Hash: 290188302006068FC712CB29D99499ABBF5FF84300B65C4AAE405CB722DBB0ED46CB90

Function 07408A68 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca59fdea2510081b0306d1511498089542f2ea21e61be2c3be9b03e6f836603a
Instruction ID: 290ba30b8cca6560c61bfc5ef58280fe6f246ce38087056c83032f4eb3d2558c
Opcode Fuzzy Hash: ca59fdea2510081b0306d1511498089542f2ea21e61be2c3be9b03e6f836603a
Instruction Fuzzy Hash: 6E01A2B23001056FC744EB9DE444BBF7BEAEBC8660B00801AF909DB390DF749C418791

Function 073D7E98 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8623df1a4f22a5c2d5db536fa9ac5e6eccf5c0c856366b30ed911a9ea4d93edc
Instruction ID: 359abc1b1f245f3c426047c8e7ae45f820eebf11d43b013f7732c0d3d8aa9602
Opcode Fuzzy Hash: 8623df1a4f22a5c2d5db536fa9ac5e6eccf5c0c856366b30ed911a9ea4d93edc
Instruction Fuzzy Hash: 42F081B23001196FD754FA6AA840BBF66DEEBC8660B54802AF509DB390DE75EC0147D6

Function 073DFC88 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fded4bad3f6695d40e956d205ac4eadfcf5ae15c5efdf70744c01c392421898
Instruction ID: 4d83689f527aad9675256dae7079560a5251bb9df64a4e521175c49ee28ebc74
Opcode Fuzzy Hash: 8fded4bad3f6695d40e956d205ac4eadfcf5ae15c5efdf70744c01c392421898
Instruction Fuzzy Hash: 390147B6300342DFD3125B30A29839ABBE2BB85250F04046ED58B877C2CB76A919C791

Function 0740A408 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3429790a0a7d4684dfeec1769f2e09d4428a79bda23a15c5e72e25bc0fa9afd3
Instruction ID: ad777f082859fd9bb9ae73fbee6ef3cf3b42bc4bfdb81805e37cbe17d1755b0b
Opcode Fuzzy Hash: 3429790a0a7d4684dfeec1769f2e09d4428a79bda23a15c5e72e25bc0fa9afd3
Instruction Fuzzy Hash: 120188B4A05345DBDB04EBB8C46859ABBF9EF84300B1484BAD846C3380EE35CA01CB42

Function 07409858 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 949eb9a3f69b7ed05bedd8bf4b16a5881b8577519d39067445cd93766004d462
Instruction ID: f85dcdcb94faf8f782c68ed4e7c7da2b741d08cba2cc86d12545dc1fc2efa2cc
Opcode Fuzzy Hash: 949eb9a3f69b7ed05bedd8bf4b16a5881b8577519d39067445cd93766004d462
Instruction Fuzzy Hash: 46016275B001199BCB14ABADD8055DEBBF9EFC8221700817AE82ED7790EB30E8048B90

Function 0740C478 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba569a9fcd0bfdcc6b86e3518c42ca70bf440503db91c733afed4c6bc73da6ee
Instruction ID: a84ae66e19187baae78109023f42b93a6b72aa70716dd817226875277b01b5d1
Opcode Fuzzy Hash: ba569a9fcd0bfdcc6b86e3518c42ca70bf440503db91c733afed4c6bc73da6ee
Instruction Fuzzy Hash: DF016272E04259AFCB069BA9DC05BEEBFF9EFC9210F048066E615D7240D7745541CBA1

Function 073DB147 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c5028b4746e238a408d99b33f21c912d5445ef5da05e1a206a23e2581da1172
Instruction ID: 4f0331b620535adeb46eb88e1a31605c284853d0ca52d4a65eddee280765a2a3
Opcode Fuzzy Hash: 1c5028b4746e238a408d99b33f21c912d5445ef5da05e1a206a23e2581da1172
Instruction Fuzzy Hash: C8F028F72092521FE3008E6CF856792BFC9EBC6228F1900ABD0058B193E665D943C761

Function 073D6C28 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e06432ae1e229418cc3c4c180204027d37db43aa5d8e1651a0907849255616
Instruction ID: 25f8547b8a9f86e1ed51502f1e8631cb2b952d9e5508e50e64b450eea13dae43
Opcode Fuzzy Hash: 15e06432ae1e229418cc3c4c180204027d37db43aa5d8e1651a0907849255616
Instruction Fuzzy Hash: 9901F272210381CFC7619B69E680666BBA0FB82265B04957EC0894F621CB31EC0ACB91

Function 073DE8DA Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77842256a5c26c0445628d33736678064c74a9a7b89ba752910e18cc05e28621
Instruction ID: f045ad5d2793fcd61605a39ee1cf2f821a7c4765aeff3c6d83f50924f60f6a36
Opcode Fuzzy Hash: 77842256a5c26c0445628d33736678064c74a9a7b89ba752910e18cc05e28621
Instruction Fuzzy Hash: 9301D2B2D4865B8AFF00DAA0E5157EEBFB27F45340F004026D414AA282CB7E0A44CFA1

Function 072E2001 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03bb8d4582ace074e00b7981f4efc75c285ae73a56dd6de6147b89be9c75eac7
Instruction ID: 20090cb771c73e0ee55a2f1236c61b527f2779446178fc3b80e7d7d8730cdf2d
Opcode Fuzzy Hash: 03bb8d4582ace074e00b7981f4efc75c285ae73a56dd6de6147b89be9c75eac7
Instruction Fuzzy Hash: 61F028F31995978EE7218729E8513F0BF69FB56329F0841FAE05ACB983C41D8841E360

Function 073DFD90 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00c5fb4c4ec100aa45c1a8e14b233c22eb3a1ca1e2465d4ab008af73fabf4ec
Instruction ID: 28bb711aebdab03e33af8af0e098942df1131ed6146a9233b800b1e836ec7465
Opcode Fuzzy Hash: f00c5fb4c4ec100aa45c1a8e14b233c22eb3a1ca1e2465d4ab008af73fabf4ec
Instruction Fuzzy Hash: 0C012875A045998BCB04CBA9E5948C9FFF2BF8D330F099166E455B7362D7309A81CFA0

Function 072E3CA0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce26cb5860d80f7a28c28377ff03e38e8d0e206ca671c92b19be3c16825efa9
Instruction ID: 629a6426814906f9fe0c256450c88d3c2025af4aaae2061debb22c9e5abbcf0e
Opcode Fuzzy Hash: 1ce26cb5860d80f7a28c28377ff03e38e8d0e206ca671c92b19be3c16825efa9
Instruction Fuzzy Hash: 24F0A932305206AFCB06AB68E4954AE7BEAFEC6310314446ED056CB255DF36AC4A8793

Function 073D7918 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 117c6571b4f12bc95f72a84a5176667645152185082d40868ff172424a1971b3
Instruction ID: 6a070740484646ab55227b19fe0851b1aa2480c8a78fdb9c6ef482ef2f222443
Opcode Fuzzy Hash: 117c6571b4f12bc95f72a84a5176667645152185082d40868ff172424a1971b3
Instruction Fuzzy Hash: 01F0B4B63092156FC71596BA58544AAFFD9DFC626431480BFE01DCB783DA71DC0283E1

Function 072EC4F8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d6a67fdbf4645fe79a06e8e5beb731f155dbd59169ec683f84fbcece688aa09
Instruction ID: 72094594adaf8ee46a2647ed972ab96fb34e2d80bec9cbe778190cf74786fde6
Opcode Fuzzy Hash: 8d6a67fdbf4645fe79a06e8e5beb731f155dbd59169ec683f84fbcece688aa09
Instruction Fuzzy Hash: 26F040707002059FC3149A6DD888AAAFBF9EF8A320F50887AD40AD7241DB31E880C7A1

Function 074043F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acf8cef5291729ddd7a13725a04715b04fde77692c0803e255f7aaf5c24c740d
Instruction ID: 3b7c1489efbe9d88800a364e0cc190c83a046d5b6774a3dbea1447f8bcd66670
Opcode Fuzzy Hash: acf8cef5291729ddd7a13725a04715b04fde77692c0803e255f7aaf5c24c740d
Instruction Fuzzy Hash: C5F028B17003455BDB20EF28E44667FB7AAEFC1721F04413CD50A8B380DF35A8058761

Function 073D90E2 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a61726226b18b89628470e31bbcf114e6bb96114ab61fe94016fa80ad557d28b
Instruction ID: 170fc94e0ee296b56234bb98c15096b34ac27e4bf9b7662a23accbc749d63d0a
Opcode Fuzzy Hash: a61726226b18b89628470e31bbcf114e6bb96114ab61fe94016fa80ad557d28b
Instruction Fuzzy Hash: 45F090763082105FDB169A19E8849AABBEEEFC92747148017F80DCB386CB35DD4287A0

Function 073DC818 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520c57138b52d33ca3dd33ff8b51ed45656e8eb75dbaa7934a56efe4d754e530
Instruction ID: 863f60aabb1b94584d697d564720a0fa1828a3cebd890f7454f30f7f82ec97b4
Opcode Fuzzy Hash: 520c57138b52d33ca3dd33ff8b51ed45656e8eb75dbaa7934a56efe4d754e530
Instruction Fuzzy Hash: 250171B2E6011A8FEF00DBA9F908BEEBBB5FF48301F004425D415A6190DB7D5945CBA1

Function 073D92D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22db2e2c6a0c6e2a085abf6ae2da546b7031c73245e8a7db7c000795abdc25ef
Instruction ID: 020a4f848eb70b540c99c203d885fe7c3da3710a107dadcc89f1335f8cb23b15
Opcode Fuzzy Hash: 22db2e2c6a0c6e2a085abf6ae2da546b7031c73245e8a7db7c000795abdc25ef
Instruction Fuzzy Hash: 21F090727042559F87119A29E40099BBBA9DF85264305806BE80DCF761DB31ED41C7E1

Function 073DB958 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d9f71cbe66f1c10eab9164d0f5e089d253211daef21a8d65e4e7aa363c5efd
Instruction ID: 8ab1bdda54b0f0855510616d841b2fa945e46e5390722e43f31ea519c3496e0c
Opcode Fuzzy Hash: 35d9f71cbe66f1c10eab9164d0f5e089d253211daef21a8d65e4e7aa363c5efd
Instruction Fuzzy Hash: 3EF050D270D2D04FE713077878240797FA6DE8765070900FBE085CB193DB288E06C361

Function 072EAE70 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9468d631ef7b09634cd9e91017874d7826f7888f727078aed697a4496125feff
Instruction ID: e2f9b7a4d30dc9388befad439efdee73e1d1b2255f3af1966762ef685b67d9ff
Opcode Fuzzy Hash: 9468d631ef7b09634cd9e91017874d7826f7888f727078aed697a4496125feff
Instruction Fuzzy Hash: D60169302006068FC754CB19D548D9AB7FAFF84310B55C4A9E4058B735DBB0ED46CB90

Function 07404470 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f944afbb2adde44dc65f212720e329402de43e9885c9abb06016f9a8d75a57f5
Instruction ID: efc9cc77d21d212df654c88c001df8ffc65aab808f8b89bf4bce7b6a6f757b88
Opcode Fuzzy Hash: f944afbb2adde44dc65f212720e329402de43e9885c9abb06016f9a8d75a57f5
Instruction Fuzzy Hash: ABF0F6F1790154ABE324676CB91A7AA778EDB41711F04007AE7068A3C0CD798C8083D5

Function 073DDBF0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c3f62649cabc348b66831b221bb0828970737f8a159623ddf31cf7e2a84236
Instruction ID: b501ea7bd8e058829157a02633dc4bd94abee92eb4f094fc2044c50816eb2972
Opcode Fuzzy Hash: f8c3f62649cabc348b66831b221bb0828970737f8a159623ddf31cf7e2a84236
Instruction Fuzzy Hash: 080184F1F1420F9EF744EFA8E45576F7FB4AB41704F00446AC0899BA92DBBA1904CB92

Function 072EC217 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c4f036ce2adaf1e848a4bdd4a7b0ff7b71c64383da4d7c4c878c680a6661bb
Instruction ID: 6b11e9ce769f899793a25242afcca38faee220f15eadebb72ac368d444949c4f
Opcode Fuzzy Hash: d6c4f036ce2adaf1e848a4bdd4a7b0ff7b71c64383da4d7c4c878c680a6661bb
Instruction Fuzzy Hash: 42F0F0B6A00209DBDB04EB99C0415CDBBFAEF8A341F644526D408EB326CB346D95CB81

Function 072E2088 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c64368911f42e9df1fabcb2d763e5ae1788a997a5b2b68e750c28e56ce9eec
Instruction ID: bc0e5b5f2e9becf562f943f2d2bde4ad188f203047bb867317115f51aae6cb40
Opcode Fuzzy Hash: f7c64368911f42e9df1fabcb2d763e5ae1788a997a5b2b68e750c28e56ce9eec
Instruction Fuzzy Hash: 07F04972B10219DFCB40AFB8A80459E7BF8FF49650B5004A5D50AE7254EA358A00CBC1

Function 073D8448 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b43220d8bfa00b25eacf9890f5d73f8d25e0ef275ec4e972a5794aa6dd2cb1f
Instruction ID: 58fea46539925abfb80c45fc08afa3386aa4e5ebb56ec945d78889e9f3ec84ba
Opcode Fuzzy Hash: 6b43220d8bfa00b25eacf9890f5d73f8d25e0ef275ec4e972a5794aa6dd2cb1f
Instruction Fuzzy Hash: 23F0A7B27041151F5714966E68805BF9BEFDECA520314407FE00DD7785DE219C0253A1

Function 073D6C38 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d16fd82569232d92861ffb55ff19915668427914ec5763d307ed0120a2307bdc
Instruction ID: ab6a8812eb083a4422ec09941a5a45ce651645e5faf078dc023f092d1defa0e9
Opcode Fuzzy Hash: d16fd82569232d92861ffb55ff19915668427914ec5763d307ed0120a2307bdc
Instruction Fuzzy Hash: AEF0C231200306CFC760DA69E980A16FBE5FF80354B44953CD0494FA15CB31FC49CB91

Function 073DFC98 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5f0d0b091354db21306486fc380e81b222bcdf2e6c4f5d36e62a6cc4365600f
Instruction ID: efc660a6524322380dd2d97705582aa86ddeee294afc35441bd7db7b36f1f6be
Opcode Fuzzy Hash: b5f0d0b091354db21306486fc380e81b222bcdf2e6c4f5d36e62a6cc4365600f
Instruction Fuzzy Hash: 58F022B2300200EFE7211A30908875ABAE6BB85710F50443CD68B477C1CB76B845C791

Function 073DE8E8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b191422bf57148913a251f9f19b50beaedf773547a26cff32b03e0c2fd1f7fd
Instruction ID: 5bb218de392e706ed7ed489045efc6b122bc0b479d608080a91128ed7bcdc450
Opcode Fuzzy Hash: 6b191422bf57148913a251f9f19b50beaedf773547a26cff32b03e0c2fd1f7fd
Instruction Fuzzy Hash: C401BCB1E4825A8AFF40DBA5E4057AEBFB67F45300F008025D410BA281CB7E0944CB61

Function 0740C488 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ccd9e6c208b10655c2374488bafc46b61a185a37c1b85c0e770fbc7ce10c39
Instruction ID: 179e2beaa83611947e5f64a9e61641a9bfc322980ef6530724b308d00b8cca0b
Opcode Fuzzy Hash: 39ccd9e6c208b10655c2374488bafc46b61a185a37c1b85c0e770fbc7ce10c39
Instruction Fuzzy Hash: D5F01D72E00118ABCB05EB99DC05AEEBBFAEFC8611F048026E629E3240D77456118B91

Function 074027E8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ce31040fe47dc7d0d03f55821d77be925fe26a0cd18885fa6735a12983c1dd
Instruction ID: 52c169c6ae2a531cd2f3745de2516cbd5a8c4998f5b00bb688028b8fe5a1a78b
Opcode Fuzzy Hash: 26ce31040fe47dc7d0d03f55821d77be925fe26a0cd18885fa6735a12983c1dd
Instruction Fuzzy Hash: 67F027312042465FCB160A2D94145EA7FAADF86260B14407BE8C4CA284DB708883C395

Function 0740C059 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ceefb8a92cfb60a64fac5c09c02dfe204ec5de8d8492a6918a640d28b223ab
Instruction ID: 1dc11eb26927dd679b5ebfe783513576493de7c4557121722eefd74c6f706295
Opcode Fuzzy Hash: b6ceefb8a92cfb60a64fac5c09c02dfe204ec5de8d8492a6918a640d28b223ab
Instruction Fuzzy Hash: B4F027B27042066FC714D6ACA8849AF7FEEFBC8234714407EE10DC7241DA35AC06CBA1

Function 0740CDDB Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed3dce8ef69d640d9959134596377913607042be9255ca3b3711504fb35c09c
Instruction ID: 8e42c6e5794317f4293b0532ee05b205898f08e680240130966d2d7b7d4cab0e
Opcode Fuzzy Hash: 2ed3dce8ef69d640d9959134596377913607042be9255ca3b3711504fb35c09c
Instruction Fuzzy Hash: C6F024317023429FE3055F34E00066B77A2EFC1258F20847ED4468A752CF32C886C710

Function 07407A12 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec43b935e1b5cad8633d6001cc778caf5fdd8a932b27eec9cf575ca58819eb3c
Instruction ID: ca19e10bcaf101bc9b262431f6d208f4208fe442765fcb375869d9eae9b9dd55
Opcode Fuzzy Hash: ec43b935e1b5cad8633d6001cc778caf5fdd8a932b27eec9cf575ca58819eb3c
Instruction Fuzzy Hash: 93F04F35100702CFCB2A9B25D454A97BBB6FF81325F18847ED49A47BA2C735F881CB92

Function 073D90F0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ed83a599579c8645ff5a61309ad8b9806c927cdad3efd1431e5fc1f0d2773f
Instruction ID: f42dae197fd0678c442410f9f7312e813309764861f4c5aeb65b4ee3225b51e9
Opcode Fuzzy Hash: b4ed83a599579c8645ff5a61309ad8b9806c927cdad3efd1431e5fc1f0d2773f
Instruction Fuzzy Hash: 2BF08C767042149FDB149E1DE88896EFBEEEBC8260714802BF80DC7345CB35EC4287A4

Function 073D7928 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f7050f1841319540680d32855fce11ed9ae7204b2debabc4a993201f4636eb
Instruction ID: 36da03d55feb78c8560cd0637ad2d593bc2f2fb12de357ece08df17aecdd39bb
Opcode Fuzzy Hash: 39f7050f1841319540680d32855fce11ed9ae7204b2debabc4a993201f4636eb
Instruction Fuzzy Hash: 7AE030B63042196F9714A67E585096BB6DEDFC5564310407EA41ED7745DA71EC0143A0

Function 072E3718 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444ad03d64c7efd51a4013d500e485f37678a575f97aa55f85fba5c8a2ead416
Instruction ID: fdfff6191e1c5ae282e8bfdea5eb5d6088d9ce2e4ab88a92c0a6223aa52e4149
Opcode Fuzzy Hash: 444ad03d64c7efd51a4013d500e485f37678a575f97aa55f85fba5c8a2ead416
Instruction Fuzzy Hash: 04F02471105343AFCB029B24E4685A8BFF5FFC2310B10447AD049CB692CB74A854C792

Function 072E2624 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d62e94e27c1873dffca79044f8c0ace5fb8556d180f74dd282955a3886867fa
Instruction ID: 228edc8151be70728e2a45692127aa8a127ac41e0a51b93f7691dac842ef72b8
Opcode Fuzzy Hash: 8d62e94e27c1873dffca79044f8c0ace5fb8556d180f74dd282955a3886867fa
Instruction Fuzzy Hash: 0FF027F2A1D2A28FEB0657386C205552FDDEBA314034481D7D482CB366E928CC0B8B65

Function 073DF40A Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d1e14cbb6425798b73cefa615f8e682f450968f8f8b73cc0a68c53fc68d3cf4
Instruction ID: 0f40dd66b34c446a94085b813441da3ec108d008233fce700c5bc74a1113c1f9
Opcode Fuzzy Hash: 2d1e14cbb6425798b73cefa615f8e682f450968f8f8b73cc0a68c53fc68d3cf4
Instruction Fuzzy Hash: 1EF09EB27487518FD702573475680EC7FB5AF43010784419AD04A87113CB184A4DC386

Function 072E66D1 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f949370c22247547ea0dd9838a59c29fa5cf5ae4ef2e1b3e433b548b8653a5b
Instruction ID: 44cf5f2ad3a8dc79ad2d0f07ef0cb7c0db1265a6674fba4137642a26a4393756
Opcode Fuzzy Hash: 3f949370c22247547ea0dd9838a59c29fa5cf5ae4ef2e1b3e433b548b8653a5b
Instruction Fuzzy Hash: DEF055302083925FD706133A8810025BBBAEFC221075A40B7CA48C7252EB39DC1AC7E1

Function 073DF479 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19587099c337b2f16fde982892c31696df52fe69cbcffe70852ef3f75b2a8b7b
Instruction ID: d5695fa85236dbc6a4fe94f99eaab09ae1956451fd33bd9a98442b7e1a4aa104
Opcode Fuzzy Hash: 19587099c337b2f16fde982892c31696df52fe69cbcffe70852ef3f75b2a8b7b
Instruction Fuzzy Hash: 30F02776704B118FE70A9F39B5190FDBBB1FF81211B04826BE40BDB251DF389A498B80

Function 073D8458 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a69356e3e9ac229e82513c05fe45655f52031e40cbc4bbfec0401845c10bae4
Instruction ID: fcac3e2c0a07b24940a19595f4d29f35b83db416ff4792491dc576154b5039a5
Opcode Fuzzy Hash: 4a69356e3e9ac229e82513c05fe45655f52031e40cbc4bbfec0401845c10bae4
Instruction Fuzzy Hash: 7CE092B23041151F5B18AA9E588496FAADFDFC9560314803AE40DC7385DF71EC0103A1

Function 073D309B Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa28168c8b33a8ee755c48d7a670296601e11485059c037400207523069f6ffb
Instruction ID: d6c5a3c248c806e7b7ddcb2db805dca21d5340d9a554218130a07098a0862f3a
Opcode Fuzzy Hash: aa28168c8b33a8ee755c48d7a670296601e11485059c037400207523069f6ffb
Instruction Fuzzy Hash: EDF020613093916FD71A263A28200E97FDA9FC342038900BBD605CB2E6DD6A8C05C3B6

Function 072EC1E5 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7181a9386e3a0b316fc24fc3ef03811fec8bee359c476cf0599d97a718384783
Instruction ID: d0d6c63b02fb5bf5326f6aca32008c5874ee4496d00f3d8837bc378bc4c1b202
Opcode Fuzzy Hash: 7181a9386e3a0b316fc24fc3ef03811fec8bee359c476cf0599d97a718384783
Instruction Fuzzy Hash: 8301F2B5A6525AAFDF00CB90D945FEDBB76BF48300F10400AE801BA2A5CB75A980DB60

Function 072E3D91 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aae2b13928d4ceb9aeab3ee5ed66f2cd16975b8289796ca2df555520d3bbc400
Instruction ID: 239ef2163e9b0d49b6da5448c11267b9ef9d8579a2a149a6ae3583ba1720e216
Opcode Fuzzy Hash: aae2b13928d4ceb9aeab3ee5ed66f2cd16975b8289796ca2df555520d3bbc400
Instruction Fuzzy Hash: 3FF0AF30505B01CFE314DF26E64A516BFF6FB88311B00852EE88B82A15DB79A949CF81

Function 072E3C38 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8006f36041f40f0e2aa10d44468c2711254702a5d56ddd37cf17a706d4cd9687
Instruction ID: 6ab470a575acac72721956875c709dac5ab3f88273e09fd1862b4b2ba6ecd655
Opcode Fuzzy Hash: 8006f36041f40f0e2aa10d44468c2711254702a5d56ddd37cf17a706d4cd9687
Instruction Fuzzy Hash: 8DF0A7332001066FD649B778B91846E76DBFEC4650754483DD01BDBB94DD31AC8A4791

Function 07406711 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39130ecf5816856cd256eab6eadfeda79e6200a00414bb33a320bd491e661cc9
Instruction ID: a7f295f6023973dd7d6991e4602914838d973cb2d88612ec1b853398a230b243
Opcode Fuzzy Hash: 39130ecf5816856cd256eab6eadfeda79e6200a00414bb33a320bd491e661cc9
Instruction Fuzzy Hash: EFF027712483928FD3115B29D4186957FAAEF06320B5100A7E086C72B2DB74AC82C785

Function 073D30B0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b08e6ac59a94220be49e36a2fa601b22b96b74a9a44fcd75cdb1843df2339e
Instruction ID: 812537aa3232f6eb6fa60fa1d32019ea2e0965ba444110957c63ab94afaab9b7
Opcode Fuzzy Hash: 79b08e6ac59a94220be49e36a2fa601b22b96b74a9a44fcd75cdb1843df2339e
Instruction Fuzzy Hash: 64E026B230021567DB1865BB78005BEA2CEDBC1871708403FE60DDB294DE72CC01C391

Function 072EE2F7 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d85389feabbbf253e5bede3c1b45dfba706478f4ffed92fae5885fd4bfac1186
Instruction ID: bf80c16e80bb993595877d5b8d2ec5c8cae4c462440393cf25fc3c2555996454
Opcode Fuzzy Hash: d85389feabbbf253e5bede3c1b45dfba706478f4ffed92fae5885fd4bfac1186
Instruction Fuzzy Hash: FAF0E5B1E101599BEB248A25EC40BDABBBDEB84390F0040B7D515A3240EB705994CAB1

Function 072E3DA0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f14a55eb6c7812e7544d86585de5e2441957648a1902f3e537d601048fd63e
Instruction ID: 09d465087b093d5b2ea4528d21d5360036c096d9134b7f7d7d6d0ab9f83b2ed6
Opcode Fuzzy Hash: 99f14a55eb6c7812e7544d86585de5e2441957648a1902f3e537d601048fd63e
Instruction Fuzzy Hash: 05F03070505B01CFE754DF26E64A556BBF6FB88311B00852EE48B82A11DB79A845CF85

Function 072E1920 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3401426e4ab7a39de25440cfdd2b94e2afde0d985cb0a9f60bda5f6300adeb3f
Instruction ID: dee792c8e7c140dc5f17b0607dd17974026b65f8f2821c6f988cb5972333fe91
Opcode Fuzzy Hash: 3401426e4ab7a39de25440cfdd2b94e2afde0d985cb0a9f60bda5f6300adeb3f
Instruction Fuzzy Hash: 69E0D8B190524DFFCB45DFB4A90049DBFBAEB8610470041FAE848EB752E6301F199791

Function 073D5735 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539c83029bf5addd08aa484f5c38ca1f7da5c61cdb689efcf0b6c51f17f21df5
Instruction ID: 4de7b0678f73b5d0ae3f4e182b10d7c64fd2c6a4b83750e55dc03d41a5366d57
Opcode Fuzzy Hash: 539c83029bf5addd08aa484f5c38ca1f7da5c61cdb689efcf0b6c51f17f21df5
Instruction Fuzzy Hash: 5CF097366010059FCB01DF94EA44DCDBBB2FB88314B2592A1E5095B225C732EE55CB50

Function 072E25E0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9766f70e265cf647426265d333afbfe8da267df60752f07787a80540558220f4
Instruction ID: c5aeab8a63f59df057ecb938e0286cbd00073defc32a3f09e511e076ff0a8326
Opcode Fuzzy Hash: 9766f70e265cf647426265d333afbfe8da267df60752f07787a80540558220f4
Instruction Fuzzy Hash: ADE0D8B17146A78FEB55673878204453FDEF7D51053008591D562D7352ED24CC0E4BA8

Function 073DB801 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da45cefd5b848ee15ddf52534acbd0040ecd2dba4585dcd1d27ad6e78c8c1164
Instruction ID: 9d8a6f2cf94dddf71746344e08d737e5431478fea95ef9b0efdb26834628c022
Opcode Fuzzy Hash: da45cefd5b848ee15ddf52534acbd0040ecd2dba4585dcd1d27ad6e78c8c1164
Instruction Fuzzy Hash: 37E086363142915FC70516A9752446ABBEDEEC652131400B7E906C3342CD654D0647A7

Function 073DC7C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc5241d0d6d6639595158567e6d8086958872e8a4925de6cd3df73b2692d3b99
Instruction ID: 95e5a3b1d32d71b3f6756393dba0d78756bdf04d30941b5b3406206823c85492
Opcode Fuzzy Hash: cc5241d0d6d6639595158567e6d8086958872e8a4925de6cd3df73b2692d3b99
Instruction Fuzzy Hash: F6E04F372053918FD3162BB8B52A1D97B65BE066623040096E455C7363DB7E8F45C7E2

Function 07404FA9 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0231c76359ab8a02ac1e429052067b7612c5f5dc4c8fcd5de79f1c8d565dfae
Instruction ID: 24cbdb33a518db090fea5e706d43fa526baca739b0ff31290e50f59f6ab03089
Opcode Fuzzy Hash: a0231c76359ab8a02ac1e429052067b7612c5f5dc4c8fcd5de79f1c8d565dfae
Instruction Fuzzy Hash: EDE0DF302052908FC3014728D850965BBF8EF4A220B1102E2E552C72A2CA719C01C780

Function 072E5EE0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11877371bd70c179c9994f4baea8bdd663eadaaace6ecbd4bb333160ce660993
Instruction ID: 3338fe84ffd7ebf925f030621195a9b2f17a72e686d94cf4d6ae1a2eedb05d21
Opcode Fuzzy Hash: 11877371bd70c179c9994f4baea8bdd663eadaaace6ecbd4bb333160ce660993
Instruction Fuzzy Hash: 58E026B320C6C66FC302466CF40816B7B6ADFCA620B0581F7D088CBAD7CA284C41C391

Function 073D9E2A Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14cd2f6f67c1948d44a6a70e6237119efb6f4854891cab6efb2df5805cb4c7b0
Instruction ID: a1fd3a2669d040428a5fe06790eeec0f4c846e67dfc71f13afdb368a46e9023d
Opcode Fuzzy Hash: 14cd2f6f67c1948d44a6a70e6237119efb6f4854891cab6efb2df5805cb4c7b0
Instruction Fuzzy Hash: 68E08C352092548FC3029728E4149D5BBAAAB8A22970580DBE809CF753CA3BEC428B95

Function 073D5A31 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31b08097500cca823646a5198533eb8c44490c81f147488e47441e8603774655
Instruction ID: dd6a454219f0b1daff9c4aadc504cf4a173c7bd3859391dc27dd0927f62bd4cf
Opcode Fuzzy Hash: 31b08097500cca823646a5198533eb8c44490c81f147488e47441e8603774655
Instruction Fuzzy Hash: 44D02B336082904BC712177575054CABF34CDC627171480F7ED89D7152EB204E34C3E6

Function 073DF488 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb102dec6a25092459dddfa7229ab0199ed941f1955d30d82ddf0f093f7af6f6
Instruction ID: a812e4efb8910153254d6e4cc94a4eecf8abc6505f18f0210928d6345e885b2e
Opcode Fuzzy Hash: eb102dec6a25092459dddfa7229ab0199ed941f1955d30d82ddf0f093f7af6f6
Instruction Fuzzy Hash: 8FE08C36701A1187DB092A79A41947DB7AAEF862127408129E80BE3301EF38A85487C5

Function 073DF4C8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb93bb8f5cd7eeb5c9905e4cfe7c2cfcd5a90c64fface9329982f62d5aa13b2
Instruction ID: 2b3b984044b17619fbcbd326fda18049883e4b6cd3660af91719ed499bd369e2
Opcode Fuzzy Hash: acb93bb8f5cd7eeb5c9905e4cfe7c2cfcd5a90c64fface9329982f62d5aa13b2
Instruction Fuzzy Hash: C1E07D315093934FE7164A20B3443F1BFF07F02515F142047D08F86941C7245E058740

Function 072EC63E Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 200a71ee8d9c5c6ca9f0d6e36ae3e0061c4a74dc87e6e25abe50f219421ab311
Instruction ID: f07edc6097a23dc37abf0d0109dab4455ad231deed6237784dac92b34b9fbc67
Opcode Fuzzy Hash: 200a71ee8d9c5c6ca9f0d6e36ae3e0061c4a74dc87e6e25abe50f219421ab311
Instruction Fuzzy Hash: 51E01AB0D1420D9F8B44DFA9D4015BEBFF4AB08200F10816AE558E2344E2344641CFE5

Function 07404601 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3acf37ee10e4fbad51a4a245343c85d1b489b63263862e2c451ae2b5288173fe
Instruction ID: 3f1b588bec422da7bc8f69038e010a180eaeab74ce148f921bce1501220312ff
Opcode Fuzzy Hash: 3acf37ee10e4fbad51a4a245343c85d1b489b63263862e2c451ae2b5288173fe
Instruction Fuzzy Hash: 38E0C2FC38A2D25FE303433898101E23B709D8321578854EBC28487292E4288D8BC7B2

Function 073DC7D0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5221dc905432bb30e1190c7629c05016ee8b3132436ea94b432757482d2c508d
Instruction ID: aaecc93fce8025a386cc148d7da022e9e3de54a31f4a5b3cd556d939b59e9835
Opcode Fuzzy Hash: 5221dc905432bb30e1190c7629c05016ee8b3132436ea94b432757482d2c508d
Instruction Fuzzy Hash: 66D017322102188BD7543BB8B40A5AA77ADEB48662304006AE81AD2251EF7E9C81CBA1

Function 072EC640 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9f64d3865949a240a96ea405ae754961c95e393bbaf56efec5f17e8a52ecb72
Instruction ID: 3078317220ca4d06a144e28048db8e135133c8e61b8b125314605830e9204b9c
Opcode Fuzzy Hash: c9f64d3865949a240a96ea405ae754961c95e393bbaf56efec5f17e8a52ecb72
Instruction Fuzzy Hash: 7AE092B0D1420E9F8B94DFA9D5415BEBFF8AB48200F10816AE928E6344E6745A51CFE5

Function 072E3E60 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60e3e59a045a3dda3399646ec96a71b601f6db505ea3e7e0a193c5e2db11d4d5
Instruction ID: 1969535b7b07220b57d0d0c2544bef4ee4d721d3027938f6d7ce8cf987920fba
Opcode Fuzzy Hash: 60e3e59a045a3dda3399646ec96a71b601f6db505ea3e7e0a193c5e2db11d4d5
Instruction Fuzzy Hash: 4DE086A41081D68FD752CB28C4957853BA0EB81701FC940E5C0C4CB5A2CB388C59C752

Function 073DC6D9 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e962282e9774ea3ab44c7793d15c6613c0aa5ecc25dd20eb2b955076e081f9
Instruction ID: 0c44a45542297a6decb7c5a2cfc533db38e0c3bf9e51119fec22bb38961589ba
Opcode Fuzzy Hash: 41e962282e9774ea3ab44c7793d15c6613c0aa5ecc25dd20eb2b955076e081f9
Instruction Fuzzy Hash: F5D0A7B22547444FEB0213B47A393DA3F29B702601F441097E189C6183DF1CAB059B72

Function 073DB810 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833ff3fd6401496652f4f9813379702c7b919fd7a4f4acb14b5878fcbe54bf34
Instruction ID: 9e3c41b1eb480afa66c36abf9aa6b1889291c7c18f8e179f780621ce27e52c6c
Opcode Fuzzy Hash: 833ff3fd6401496652f4f9813379702c7b919fd7a4f4acb14b5878fcbe54bf34
Instruction Fuzzy Hash: 55D0A7323000142F460425DDB41542F7ADEDAC9561300003AE90AC3340CD554C0203A6

Function 072EA7BA Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09eca5e4568c8fa39114dba2ca3066c53a507e767c2c91cac546ecc8c2dbcb01
Instruction ID: 62fd82daac575a2b0d7c26458ec2455914dd0a9504c06e8a8f8b5a04271c8972
Opcode Fuzzy Hash: 09eca5e4568c8fa39114dba2ca3066c53a507e767c2c91cac546ecc8c2dbcb01
Instruction Fuzzy Hash: 47E0C2605082F14ED31A6B7940640297FF0AE8158032C8CDFC0D1CF145C6209858C752

Function 072E1930 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2385229428.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_72e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b65228d9e096ca1580964efede8514a7f170319e879baf076f3f71882fdaf00
Instruction ID: 0df2603fd9887c6482a20f4a156ba2e59e8d92ab35d5ac019f7ce693c37cb45f
Opcode Fuzzy Hash: 1b65228d9e096ca1580964efede8514a7f170319e879baf076f3f71882fdaf00
Instruction Fuzzy Hash: 23D05EB1A0110DFFDF40EFA9EA0559DFBF9FB85200B1081A9D809E7311EA316F049B81

Function 07404FB8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 953597f268b03ace8f405dcb0e485695b88ea0be2925192f60ff6082c8cc5ee9
Instruction ID: 49ee7f3645ff404367e8813a259ec8265d49da11c0df061c0361ffbbc9bc5668
Opcode Fuzzy Hash: 953597f268b03ace8f405dcb0e485695b88ea0be2925192f60ff6082c8cc5ee9
Instruction Fuzzy Hash: 4AD0A7343001148FD200971CD404D9677EDEB49721F014096F905C7361CBB2EC0187C0

Function 073D9FA2 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ed1f2aee10570996570fefe191b34877701fc2262f451be1af399718c6c7e5
Instruction ID: 6723c71131c64336c56e4929b01f3734d862f59fed76b42cfb8eae7dbba7ce91
Opcode Fuzzy Hash: b9ed1f2aee10570996570fefe191b34877701fc2262f451be1af399718c6c7e5
Instruction Fuzzy Hash: 29D0A73745B7924FFF224A2068042F137399BC213370CC5E3D15C84CD7823C58069210

Function 073D9E38 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1ea7d7a30e228fb0be4c43caada72a4585a58f72e4ed0396b01afc523e26ab8
Instruction ID: 4dd53953825a4cf2850f2f20bec37459f3ef8d46d912df78601618f26d5a48ee
Opcode Fuzzy Hash: f1ea7d7a30e228fb0be4c43caada72a4585a58f72e4ed0396b01afc523e26ab8
Instruction Fuzzy Hash: F4D052343002148FC304AB28D00481AB7EEEB8821931084AAEC088B302CB33EC028B84

Function 073DF4D8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef53bf9624a9b52126c92db443b96efd7bf3f22d96291699314edba1d4cde14
Instruction ID: d8a01a5bcc61ca62baf5614e211eab9a13e3747f2c0122bfc29fb90c64cfb098
Opcode Fuzzy Hash: 1ef53bf9624a9b52126c92db443b96efd7bf3f22d96291699314edba1d4cde14
Instruction Fuzzy Hash: D2D0233160573A9FD7305D14E24CB7177ECBF05525F40201DD45F42900CB647C404BC0

Function 073DC6E8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3df75b136e8556f69cad6e0f78e37cded98e40a2f63c964614857883b8bb91f9
Instruction ID: 0efd71e0ca161658862e5b3e1a2f19163f120ab5767411eee315768eb413f09d
Opcode Fuzzy Hash: 3df75b136e8556f69cad6e0f78e37cded98e40a2f63c964614857883b8bb91f9
Instruction Fuzzy Hash: 27C04C723545094FEB502AB5790A326375DA740716F440065E50DC5541EF6ED8109661

Function 073DF860 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d7d9da7f83097ce05833cf93bcdc9d596d52286615cac5acbf7f192d5c23d9
Instruction ID: d8e3c26ada1afd10975184fd31710423140b66a8e925954a200c88b2767db36b
Opcode Fuzzy Hash: 76d7d9da7f83097ce05833cf93bcdc9d596d52286615cac5acbf7f192d5c23d9
Instruction Fuzzy Hash: 6BC0123A10A3D08EC70366B023390D1BFA8BAA320030A26DBD0808B26783680B0AC721

Non-executed Functions

Function 05B54320 Relevance: 10.7, APIs: 7, Instructions: 175COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL ref: 05B54387
RtlDecodePointer.NTDLL ref: 05B543CC
RtlEncodePointer.NTDLL(00000000), ref: 05B54437
RtlDecodePointer.NTDLL(-000000FC), ref: 05B54481
RtlEncodePointer.NTDLL(00000000), ref: 05B544C1
RtlDecodePointer.NTDLL ref: 05B54507
RtlDecodePointer.NTDLL ref: 05B5454B

Memory Dump Source

Source File: 00000003.00000002.2379298573.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b50000_MSBuild.jbxd

Similarity

API ID: Pointer$Decode$Encode
String ID:
API String ID: 1638560559-0
Opcode ID: d2b85ee6f4b20afa3023b159da58d3f463614b4b36ca1e1f9b026736e9b8af6b
Instruction ID: 112ba3b231454eb7845249414019e5345278aee60cdf3e55e6d5dcce2ba0bfbe
Opcode Fuzzy Hash: d2b85ee6f4b20afa3023b159da58d3f463614b4b36ca1e1f9b026736e9b8af6b
Instruction Fuzzy Hash: B4810775C45208DFDF15DFA8E1887DDFBF1AB08328F24809AE859A7290C7B55884CF65

Function 05B5430B Relevance: 10.7, APIs: 7, Instructions: 163COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL ref: 05B54387
RtlDecodePointer.NTDLL ref: 05B543CC
RtlEncodePointer.NTDLL(00000000), ref: 05B54437
RtlDecodePointer.NTDLL(-000000FC), ref: 05B54481
RtlEncodePointer.NTDLL(00000000), ref: 05B544C1
RtlDecodePointer.NTDLL ref: 05B54507
RtlDecodePointer.NTDLL ref: 05B5454B

Memory Dump Source

Source File: 00000003.00000002.2379298573.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b50000_MSBuild.jbxd

Similarity

API ID: Pointer$Decode$Encode
String ID:
API String ID: 1638560559-0
Opcode ID: dad6f6d2cfa30724d701bbef60ab477a27a12717e20745c5b4d6c640752e41fd
Instruction ID: 4f807871df0c0ee72bbeb804fe438d8c38ddf9840aa5f926835db7ec72701dc7
Opcode Fuzzy Hash: dad6f6d2cfa30724d701bbef60ab477a27a12717e20745c5b4d6c640752e41fd
Instruction Fuzzy Hash: AF711571845248DFDF29DFA8E1887DCFBF1AB08328F24809AE859A7291C77558C4CF65

Function 05B54698 Relevance: 10.6, APIs: 7, Instructions: 146COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL ref: 05B546F4
RtlDecodePointer.NTDLL ref: 05B54733
RtlEncodePointer.NTDLL(00000000), ref: 05B5479A
RtlDecodePointer.NTDLL(00000000), ref: 05B547D6
RtlEncodePointer.NTDLL(00000000), ref: 05B54810
RtlDecodePointer.NTDLL ref: 05B54850
RtlDecodePointer.NTDLL ref: 05B5488E

Memory Dump Source

Source File: 00000003.00000002.2379298573.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b50000_MSBuild.jbxd

Similarity

API ID: Pointer$Decode$Encode
String ID:
API String ID: 1638560559-0
Opcode ID: 49ebd95293eb5b801db42c95761b2fc50f19e500c12f067df73b737765e2d38d
Instruction ID: 49fc17cc65576c3965639c67f46101d21645ea5078014a64df35fc82bdc136c3
Opcode Fuzzy Hash: 49ebd95293eb5b801db42c95761b2fc50f19e500c12f067df73b737765e2d38d
Instruction Fuzzy Hash: DB614C71804359CFDF24DFA9C4483AEBBF0FB19329F148459D469A6290C77961C8CFA5

Function 05B54689 Relevance: 10.6, APIs: 7, Instructions: 139COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL ref: 05B546F4
RtlDecodePointer.NTDLL ref: 05B54733
RtlEncodePointer.NTDLL(00000000), ref: 05B5479A
RtlDecodePointer.NTDLL(00000000), ref: 05B547D6
RtlEncodePointer.NTDLL(00000000), ref: 05B54810
RtlDecodePointer.NTDLL ref: 05B54850
RtlDecodePointer.NTDLL ref: 05B5488E

Memory Dump Source

Source File: 00000003.00000002.2379298573.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b50000_MSBuild.jbxd

Similarity

API ID: Pointer$Decode$Encode
String ID:
API String ID: 1638560559-0
Opcode ID: 4d1738931faf87cc4a27b9a6e9422d728ebfe7b9dd666cb4967326f13365edb7
Instruction ID: 08ee70de1fdc1bfad721fcc19a577ca5c63a427b05ed4b9e9252710c9afc5e2d
Opcode Fuzzy Hash: 4d1738931faf87cc4a27b9a6e9422d728ebfe7b9dd666cb4967326f13365edb7
Instruction Fuzzy Hash: 1C614A71844349CFDF25DFA9C4483AEBBF0FB19329F148459D469A6290C37861C8CFA5

Function 073D2A38 Relevance: 9.0, Strings: 7, Instructions: 223COMMON

Download Yara Rule

Strings

\s^q, xrefs: 073D2BE5
\s^q, xrefs: 073D2B8F
\s^q, xrefs: 073D2B54
\s^q, xrefs: 073D2AB5
\s^q, xrefs: 073D2C4D
\s^q, xrefs: 073D2AEC
\s^q, xrefs: 073D2C84

Memory Dump Source

Source File: 00000003.00000002.2386748565.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_73d0000_MSBuild.jbxd

Similarity

API ID:
String ID: \s^q$\s^q$\s^q$\s^q$\s^q$\s^q$\s^q
API String ID: 0-1705958294
Opcode ID: cb4b0d06579d3cfad1adcd34d16ef75128260a8ac15dc70c5841c3652076ffc6
Instruction ID: ec60efbedb264bef8bf748776625d3a5b8dbaeb755256887e311769c6a1ca562
Opcode Fuzzy Hash: cb4b0d06579d3cfad1adcd34d16ef75128260a8ac15dc70c5841c3652076ffc6
Instruction Fuzzy Hash: CC916771A0020ADFCB14DF68D58096ABBF2FF88704B548568E849AB775DB30EC45CB90

Function 07409120 Relevance: 7.9, Strings: 6, Instructions: 383COMMON

Download Yara Rule

Strings

(_^q, xrefs: 07409547
(_^q, xrefs: 0740919D
(_^q, xrefs: 0740932D
(_^q, xrefs: 074094BD
(_^q, xrefs: 074093B7
(_^q, xrefs: 07409227

Memory Dump Source

Source File: 00000003.00000002.2386874451.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7400000_MSBuild.jbxd

Similarity

API ID:
String ID: (_^q$(_^q$(_^q$(_^q$(_^q$(_^q
API String ID: 0-2896069617
Opcode ID: 18666e36ecf0ce0462b1565cbeb8fe8b6fc5d036c9cf69c345b5e2b5574739fc
Instruction ID: 4e8fcc9186ca5c079f213fd9326f7a09c0429d62920951ba0bb5d8ed077a407a
Opcode Fuzzy Hash: 18666e36ecf0ce0462b1565cbeb8fe8b6fc5d036c9cf69c345b5e2b5574739fc
Instruction Fuzzy Hash: 3DE190B5B002059FDB049F78D4146AE7BF6FF89350F24856AD806DB382EA35ED06CB91

Analysis Process: universal_.exePID: 2128, Parent PID: 1044COMMON

Executed Functions

Function 00FF87F0 Relevance: 2.4, Strings: 1, Instructions: 1156COMMON

Download Yara Rule

Strings

4'^q, xrefs: 00FFA405

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: e686255ad9ad7589a6b7a554d96664ae0ddd0f299c9e27f33bf67149ea7f7cd9
Instruction ID: 58816296f551601ed1e3334bb70b6ef696f7904f66b8f8b7edf2ade930fbb672
Opcode Fuzzy Hash: e686255ad9ad7589a6b7a554d96664ae0ddd0f299c9e27f33bf67149ea7f7cd9
Instruction Fuzzy Hash: E4A23674B046098FCB28DF38C994A7A77B2BF88314B1449A9E616CB3B1DB74EC45DB50

Function 00FF5E98 Relevance: 2.7, Strings: 2, Instructions: 244COMMON

Download Yara Rule

Strings

dbq, xrefs: 00FF5F17
tP^q, xrefs: 00FF605B

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID: dbq$tP^q
API String ID: 0-4102089975
Opcode ID: 0ce7a1aceb90d0f9f4522a821da19e649f12c81719918887e8d278f04d34b802
Instruction ID: 2be93baf943efd347c738e3a2071713aa325385eff067d382dcd9ed71932b431
Opcode Fuzzy Hash: 0ce7a1aceb90d0f9f4522a821da19e649f12c81719918887e8d278f04d34b802
Instruction Fuzzy Hash: 3991AD34B00209CFDB08AB74D95877E77A6EF88304F144569E506EB3A4EF758D85CB61

Function 00FF5E88 Relevance: 2.7, Strings: 2, Instructions: 236COMMON

Download Yara Rule

Strings

dbq, xrefs: 00FF5F17
tP^q, xrefs: 00FF605B

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID: dbq$tP^q
API String ID: 0-4102089975
Opcode ID: fd002393f201319cbac85c3784291334f015aadc3ee884ca3a62bba21f2ec19a
Instruction ID: ec5ad5a9c40ad1580fae372323375884a92e5f7f8de397a7171ec22a3a4e28d4
Opcode Fuzzy Hash: fd002393f201319cbac85c3784291334f015aadc3ee884ca3a62bba21f2ec19a
Instruction Fuzzy Hash: 3A91CD34B00214CFDB09AB34D95876E7AA2EF88304F144979E906EB3A4EF75CD85CB61

Function 00FF5E43 Relevance: 2.7, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

dbq, xrefs: 00FF5F17
tP^q, xrefs: 00FF605B

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID: dbq$tP^q
API String ID: 0-4102089975
Opcode ID: 3a81df3c8722d9efef9273eba5797465abc6c45fd3ae72f5b730cb3dfcb2ea83
Instruction ID: 513032ce09dac92a03da2349ab4fdef2bd86ab98f25377148988bf63ff4802f0
Opcode Fuzzy Hash: 3a81df3c8722d9efef9273eba5797465abc6c45fd3ae72f5b730cb3dfcb2ea83
Instruction Fuzzy Hash: EC91AC34B00205CFDB09AB74D95876E7BA2EF88305F144979E506EB3A4EF75CC868B61

Function 00FF5E53 Relevance: 2.7, Strings: 2, Instructions: 224COMMON

Download Yara Rule

Strings

dbq, xrefs: 00FF5F17
tP^q, xrefs: 00FF605B

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID: dbq$tP^q
API String ID: 0-4102089975
Opcode ID: cc9603643306874f8dc919898e6ca2e92739f36ccc68b087d423b1f7250a76f5
Instruction ID: 8faf4ba09ceb3f4b233fa4282d41530f4eb1f33f73e154b5c2a9061607b40981
Opcode Fuzzy Hash: cc9603643306874f8dc919898e6ca2e92739f36ccc68b087d423b1f7250a76f5
Instruction Fuzzy Hash: E581BD34B00205CFDB09AB74D95877E7AA2EF88305F144969E506EB3A4EF75CC86CB61

Function 00FFAACF Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

C8, xrefs: 00FFAB49

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID: C8
API String ID: 0-392638660
Opcode ID: d3f1238a4fbffdca97696995dbf8ecb3cea5d3b4f644f0ab27dea1e327a8659e
Instruction ID: f1b8b4abe383395af49d8d730f99deca4c26ce0d6916707b30578435c70a9fb2
Opcode Fuzzy Hash: d3f1238a4fbffdca97696995dbf8ecb3cea5d3b4f644f0ab27dea1e327a8659e
Instruction Fuzzy Hash: F541CE317002048FCB15EB68D994A6EBBF6EFC5360B048169F50ADB3A5DF34ED418BA1

Function 00FF6C68 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

Te^q, xrefs: 00FF6D24

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 33b6111fa29465153c3087cea4a265fd83527d9fd260d988c4b8c36a93d57ca1
Instruction ID: f9044b191970bcf71bc9d6318f26a485d6a3b5ebc4ef58ac9078e977bf11fa5a
Opcode Fuzzy Hash: 33b6111fa29465153c3087cea4a265fd83527d9fd260d988c4b8c36a93d57ca1
Instruction Fuzzy Hash: 99418830B002149FCB18DF69C558BAEBBF6AF89710F258469E406EB3B5DF749D018B90

Function 00FF10A0 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

Te^q, xrefs: 00FF110C

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 6d6980d25330f10d90f4c85b7c4181a24994159a7c1f454aaec4f2433b503c77
Instruction ID: 2510add0082614ffa6ad22b3213112215755998ffcb9a65e4aefc1c4ac41830a
Opcode Fuzzy Hash: 6d6980d25330f10d90f4c85b7c4181a24994159a7c1f454aaec4f2433b503c77
Instruction Fuzzy Hash: DE219D31B40215CFCB149B68D858BAEBBF6AF88714F20045AE201EB3A1CA719D059BA1

Function 00FFA550 Relevance: .5, Instructions: 503COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf7345b32c2f67694a88ed3211e433ba5a8b6af0b7fa8d05a0ce74b48283b760
Instruction ID: 63483dab183ca0d21a519f8d7d30991c6dc2cf5ed3a14ffe83d56d26ac03a3f1
Opcode Fuzzy Hash: bf7345b32c2f67694a88ed3211e433ba5a8b6af0b7fa8d05a0ce74b48283b760
Instruction Fuzzy Hash: 5E02F471704205CFC714DF38C990A7A77F6AF89754B1844A9EA0ACB361EB39EC06D762

Function 00FF92DA Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f155bad51245e5c2a45122645d308ee30777d67c07aa61cecfee0aa2ba7247
Instruction ID: c98e304a624255fc5ef9719f51d805d3ba5cdaeb6d5d7a818f7aa29918fddba3
Opcode Fuzzy Hash: 90f155bad51245e5c2a45122645d308ee30777d67c07aa61cecfee0aa2ba7247
Instruction Fuzzy Hash: 5E51CF317086088FC725CF34C894A7ABBB6BF85310B144499E606CB2B1CB75EC45DB60

Function 00FF9BE7 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2468fbcf864a9b8969df3d4e0c1ce4513b47ec82383a8db7a170dde90a575d67
Instruction ID: 7a945fef8b46593c8a721875af36bbde9ee750a6967ad062133e85d74ba880a0
Opcode Fuzzy Hash: 2468fbcf864a9b8969df3d4e0c1ce4513b47ec82383a8db7a170dde90a575d67
Instruction Fuzzy Hash: 09512575704609CFC728DF28C584A6A77F2BF89314B2008A8E656CB371DB71EC45DB10

Function 00FF0E9B Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ea338ebb52a8c7fec878933517585f1d9b0624a22b257770c503a5b5191746
Instruction ID: 361e7e4c8f5a997df4ac1c87d514a2150a7f01aad140e826a52d9778ebb2c52f
Opcode Fuzzy Hash: a9ea338ebb52a8c7fec878933517585f1d9b0624a22b257770c503a5b5191746
Instruction Fuzzy Hash: A431BE35E00209DFCB14CF64D844BADBBB2FF48314F208269E505AB2B1DB719985DF80

Function 00FF6A28 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b6116700c801a27d0129acbcdba3bbb0293751f7592e8da2bc8e300bf18bce9
Instruction ID: 530dbb4d492e4f038b167e850e2674ceae9c38183a4d22023cdf2803e7e2868c
Opcode Fuzzy Hash: 8b6116700c801a27d0129acbcdba3bbb0293751f7592e8da2bc8e300bf18bce9
Instruction Fuzzy Hash: AF310734D01209EFCB04EFA8E995AEEBBB2EF88300F104529E501F7364DB759945CB61

Function 00FF6A38 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec997380394920d3b28f73f58d80850ce8f44a60207859ec5802772f8f0ff664
Instruction ID: 901e951a7252422c28ea550f53c486ed43fe50b0a88d068844fe986b78fcafc3
Opcode Fuzzy Hash: ec997380394920d3b28f73f58d80850ce8f44a60207859ec5802772f8f0ff664
Instruction Fuzzy Hash: 3031C534D01209EFCB04EFA8E595AEEBBB2EF88304F108529E511A7364DB35A945CB61

Function 00FF11B8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28a1e70210b2f43ec8711280c7e8d35c5d1c0b9427ec358ca88626a0ccf70362
Instruction ID: b8495a0a0132f89adb1e00e84a2910cc2079944031124dc0b49baa74821b0070
Opcode Fuzzy Hash: 28a1e70210b2f43ec8711280c7e8d35c5d1c0b9427ec358ca88626a0ccf70362
Instruction Fuzzy Hash: E411A335704204DFC3054BAAD844B62BBFAFFCA76072580A6F609CB331DA61DC019B60

Function 00FF0D40 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea124ded9d3a67ebee98567dfed6219b3f93e6420d6964c9a49f8c665bddf77
Instruction ID: 656101026e4a81ebfcb243bb89178c494b88b3ad06937a32ea19cf8a0407de49
Opcode Fuzzy Hash: fea124ded9d3a67ebee98567dfed6219b3f93e6420d6964c9a49f8c665bddf77
Instruction Fuzzy Hash: 4B0168367057058BC301AA79BC8066E77D7DBC0774B24043AE20ACB396EE31DC0283A1

Function 00FF8740 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dc7bc19e808b0607d5c45a8d9ab125661a8e65d85e48a43e9aad8186f2d3d34
Instruction ID: 0a53e302f65c314f51d28d58415cb2f3b57784e6165372f57b3fb0db504af551
Opcode Fuzzy Hash: 5dc7bc19e808b0607d5c45a8d9ab125661a8e65d85e48a43e9aad8186f2d3d34
Instruction Fuzzy Hash: 9C01693A3146008FC324DF29C884EA677B6EF89761B210999E506CB3B1CB21EC45CB20

Function 00FFAA18 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 470eff37282b5a0f9398b3fef2101aba636b18c01ce2b020c838205ff7d15416
Instruction ID: ee4c5c01c50dc7f0bc4c17796fe9d3b8a50c733e47b177a225c639a67bad8558
Opcode Fuzzy Hash: 470eff37282b5a0f9398b3fef2101aba636b18c01ce2b020c838205ff7d15416
Instruction Fuzzy Hash: A8F02872304205DFDB1486189A80B77B7A9DF89260714963A960EC7344DE3CDC01D355

Function 00FF1220 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782314c4fb6a9802472d1a31f99361be572ca773ce62309e0ccd62ba1ee88de8
Instruction ID: ec9a51d7f1f20651a4f81a5e5d3114b80db1fbb0d889aaf0b5aeb4def07bace9
Opcode Fuzzy Hash: 782314c4fb6a9802472d1a31f99361be572ca773ce62309e0ccd62ba1ee88de8
Instruction Fuzzy Hash: 70F0CD317082548FC3045BBE9850B367BE6FFD6760B2981A7F615CB3B2CA20CC05A761

Function 00FF1210 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fe9171f1b6f1a3d12a63ab63629921769de685fc999acfa812875cfc42eb918
Instruction ID: 64dc5edbefa04908df78406905388512f9362a7b9ad27ee2f978d557873b653d
Opcode Fuzzy Hash: 3fe9171f1b6f1a3d12a63ab63629921769de685fc999acfa812875cfc42eb918
Instruction Fuzzy Hash: C6F030357042449FC3055B7AD844B957BFAFFC6770B2980AAE545CB372EA61DC028750

Function 00FF11C8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7623e4fda86fbe000ae21afacf857e127b1a3316a0289e0f74650fa25ab72af
Instruction ID: f61d351ba4bce64efd3650f0f18913f5aab4d067c54b1858f8493915f8aaa9df
Opcode Fuzzy Hash: f7623e4fda86fbe000ae21afacf857e127b1a3316a0289e0f74650fa25ab72af
Instruction Fuzzy Hash: B2F01535700504AFC2149A9ED884F56BBEAEFC9B64B258069F20ACB775DA61EC028660

Function 00FF0FAB Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d074256660471dbf347225271a10b8990b3a1a51f5dcf05778c776743268553f
Instruction ID: 695af9301080307ca2706f5cc02102aa9a64037c4fd6f01f7c0c02431a0061c4
Opcode Fuzzy Hash: d074256660471dbf347225271a10b8990b3a1a51f5dcf05778c776743268553f
Instruction Fuzzy Hash: F3F0E27490121EDBDB24DFA0D969BBEBBB1BF44301F200519D102A23A8CB741981EB81

Function 00FFB050 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 600dae9d80e8b23c59395b32e20192f19d3882c0a2f255ff6bbb2eff1942c7ec
Instruction ID: 3e8d5c00e5cb3451cd53fcaf2df84e6846078bb625491e442249a005cfd0310e
Opcode Fuzzy Hash: 600dae9d80e8b23c59395b32e20192f19d3882c0a2f255ff6bbb2eff1942c7ec
Instruction Fuzzy Hash: C5F08C70C082499FCB41EFB8CA517DEBFB4EF09200F1045AAC0A9E7261F7705A04CBA2

Function 00FF6BE0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ed079d9a4cea9eaa61db8fe5680796494e3af1e404dc1419c23ebc3be28c4d2
Instruction ID: 6c1c1327ea995733778439526f9461bacb877aa54b924d866fead7a3ebdea81d
Opcode Fuzzy Hash: 8ed079d9a4cea9eaa61db8fe5680796494e3af1e404dc1419c23ebc3be28c4d2
Instruction Fuzzy Hash: D1E0C232701219A7DF04259DA1003FA77CCDF81366F0884BAE649C72A0EF2ACD41A390

Function 00FFB060 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5355a1490b4dea811f3ed8117593b8e2ea8b93e343be73e89443a83a499b451f
Instruction ID: 3422154de07e4e3232733cb54a7fd1a1fc05a7db36d478e2c4b39a57517438b0
Opcode Fuzzy Hash: 5355a1490b4dea811f3ed8117593b8e2ea8b93e343be73e89443a83a499b451f
Instruction Fuzzy Hash: 99E0ED71D102199FCB44EFA8DA416DEBBB4EB08200F104566D559F3244F7706B05CB92

Function 00FF1060 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846babcfeeb4799e857d09028bf30e310bc30bfd8c02e073cbf10ebe5e5f36ef
Instruction ID: 7a20e956896ce02032f4d68e270a101d58803ae5cdf2a3d32ead4a731b807071
Opcode Fuzzy Hash: 846babcfeeb4799e857d09028bf30e310bc30bfd8c02e073cbf10ebe5e5f36ef
Instruction Fuzzy Hash: 6FE0EC76905309EFC714DFB1D904599B7A8AB05215B1045A5D905C7220EA329A02DB51

Function 00FF13E8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a397383f50bc0a4230f9a5adcc95298f7a3eb1d17654389c67dee7a26acce5
Instruction ID: 8a01cb2fc29329723bb78a11a9ec88a6179f244b7167fb21e3b75ed4e5c7693e
Opcode Fuzzy Hash: a6a397383f50bc0a4230f9a5adcc95298f7a3eb1d17654389c67dee7a26acce5
Instruction Fuzzy Hash: C4E09271D49288DFCB01DBA8D9500ACBFB2DA46204B0805EED408D7351D5302E01D711

Function 00FF1068 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2374b9ad48c380cac9e5a895f566536d1e7aa5acbf44ad6932fe1c9ee4c6a662
Instruction ID: 145ef68d0251e5c808f89d0ea6b3eac49adaf616ae1be996885ff2e7bd29573b
Opcode Fuzzy Hash: 2374b9ad48c380cac9e5a895f566536d1e7aa5acbf44ad6932fe1c9ee4c6a662
Instruction Fuzzy Hash: CDD01736A0520DEBCB10DFB0AD015AAB7ECEB09215B1006EA9D0DC3210EA32DE119791

Function 00FF13F8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e8168433470c5866e16d9d239e3744c4acc45dafe637d7ff1753a3cffbc3134
Instruction ID: 284f27b5cf66532e6b09e459f69eb8a8abb2318722ea10b40a5143359f9f6ab8
Opcode Fuzzy Hash: 6e8168433470c5866e16d9d239e3744c4acc45dafe637d7ff1753a3cffbc3134
Instruction Fuzzy Hash: 44D05E70A4620DEFCB40EFA8EA5156EB7F9EB45308B1445ADE808E7300EA316F009B90

Function 00FF6B98 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ce585d7a81173579edda134612e1f8b7450c2663e9b895ac7e59833e857c33
Instruction ID: d0690b479109b529495e1fd0f9180e64a35032c20264abe7c7464d86129dd854
Opcode Fuzzy Hash: 24ce585d7a81173579edda134612e1f8b7450c2663e9b895ac7e59833e857c33
Instruction Fuzzy Hash: 56D0A938501881C7EB41FF08D0C2701B72AEB80304F100268B0424F38CEF348910DB71

Function 00FF0840 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e92f33609cf1bc810b160d7bf5e143976b0e85f08a2230921d16bdac0021249f
Instruction ID: 8166b0306da26c705adf01c8173d03e544e3328a00e32eb49294a92312e677c7
Opcode Fuzzy Hash: e92f33609cf1bc810b160d7bf5e143976b0e85f08a2230921d16bdac0021249f
Instruction Fuzzy Hash: FDC02B70008B0CDFD34137447C147103B6C8789710F8100E1BD4CCB293F5890C004770

Function 00FF0D10 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e14580a70fe4152f8ccf49d504db50726217ad76de9655fda6812aed700f977
Instruction ID: 018e555e2d04e92085eedc5117fd6b812cd2ffc439f4b95da56b78acfbd16bac
Opcode Fuzzy Hash: 2e14580a70fe4152f8ccf49d504db50726217ad76de9655fda6812aed700f977
Instruction Fuzzy Hash: 35D0027255F3C55FDB538B3088760867FB0DE1732472A58DBC4808F067E22A191AD726

Function 00FFA3EB Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d72d6289ca46ce8c967394716e3a7ada868f2a7fc651282fff7326d4317397a
Instruction ID: f05378501eaa91fd0511fd688b685365f40ec3fa68d7681eed8cba866d9b0c08
Opcode Fuzzy Hash: 9d72d6289ca46ce8c967394716e3a7ada868f2a7fc651282fff7326d4317397a
Instruction Fuzzy Hash: D3B09B77B24114875504574574445FDF36AD7D42227244023D315D1410D7711675A651

Function 00FF0850 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9d91beb7269d03519d00b37a5f2fb5ca7d5feb512a8d3ff467947c6b276a1c9
Instruction ID: 93dadd5df114325a08bece8342e2b3decf73a9f3782f5667056e662d2ef0396c
Opcode Fuzzy Hash: f9d91beb7269d03519d00b37a5f2fb5ca7d5feb512a8d3ff467947c6b276a1c9
Instruction Fuzzy Hash: 42900231045B0CCB495037957919669775C95849357800151A50D856155A55681049A5

Function 00FF0488 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2328328611.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ff0000_universal_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86f6359be1acd54ee531546367f5c12ec04828e32a0a7c3d55b833b6cce5e20d
Instruction ID: 6887ce3d9a8d6cd2adc1e7b9890c735ab2df99b4ece918380e36e4b75b1eb7f2
Opcode Fuzzy Hash: 86f6359be1acd54ee531546367f5c12ec04828e32a0a7c3d55b833b6cce5e20d
Instruction Fuzzy Hash: 54A001B160150ACB8E04AB51EE59639BB61AB843117159294950A8A2668E61A840EA90

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Wave.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: OrcusRAT

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wave.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\msbuild.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\universal_.exe.log

C:\Users\user\AppData\Local\Temp\{abe5374c-2074-44b6-9bd8-3500b416e91c}.bat

C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe

C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe.config

C:\Users\user\AppData\Roaming\securedatalifeasync\universal_.exe:Zone.Identifier

\Device\Null

Static File Info

General

Windows Analysis Report
Wave.exe

Function 013A8D40 Relevance: 2.0, Strings: 1, Instructions: 741
COMMON

Function 013AC6C0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 173
threadCOMMON

Function 013AE340 Relevance: 6.1, APIs: 4, Instructions: 135
threadCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre