Windows
Analysis Report
otq7hhgWfq.exe
Overview
General Information
Sample name: | otq7hhgWfq.exerenamed because original name is a hash value |
Original sample name: | e1649d0d19476fa985709537ff729473ccd494de534f40329c6b1d25ef5e026f.exe |
Analysis ID: | 1659277 |
MD5: | d7ebf3ef787a3fb57a1a0fa793d0b2ab |
SHA1: | 959b4e0de4ee49034442e02fe1a0a5979217b1a4 |
SHA256: | e1649d0d19476fa985709537ff729473ccd494de534f40329c6b1d25ef5e026f |
Tags: | exeuser-adrian__luca |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
otq7hhgWfq.exe (PID: 7036 cmdline:
"C:\Users\ user\Deskt op\otq7hhg Wfq.exe" MD5: D7EBF3EF787A3FB57A1A0FA793D0B2AB) MSBuild.exe (PID: 7080 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\MSB uild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232) MSBuild.exe (PID: 7084 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\MSB uild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232) MSBuild.exe (PID: 2436 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\MSB uild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
DarkCloud Stealer | Stealer is written in Visual Basic. | No Attribution |
{
"Exfil Mode": "SMTP",
"Username": "carolina@sanzaniviajes.cl",
"Password": "Gemelos2008*",
"Host": "mail.sanzaniviajes.cl"
}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DarkCloud | Yara detected DarkCloud | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DarkCloud | Yara detected DarkCloud | Joe Security | ||
JoeSecurity_DarkCloud | Yara detected DarkCloud | Joe Security | ||
JoeSecurity_DarkCloud | Yara detected DarkCloud | Joe Security | ||
JoeSecurity_DarkCloud | Yara detected DarkCloud | Joe Security |
System Summary |
---|
Source: | Author: Kiran kumar s, oscd.community: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-04-08T13:31:49.344989+0200 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.6 | 49686 | 162.55.60.2 | 80 | TCP |
- • AV Detection
- • Compliance
- • Spreading
- • Software Vulnerabilities
- • Networking
- • Key, Mouse, Clipboard, Microphone and Screen Capturing
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
- • Stealing of Sensitive Information
- • Remote Access Functionality
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Neural Call Log Analysis: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: |
Source: | Code function: |
Source: | IP Address: |
Source: | DNS query: |
Source: | Suricata IDS: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | Code function: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Binary or memory string: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Key value queried: |
Source: | Key opened: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Window / User API: |
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Memory allocated: |
Source: | Memory written: |
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Code function: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Key opened: |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | Key opened: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 312 Process Injection | 312 Process Injection | 1 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Email Collection | 12 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 2 Obfuscated Files or Information | 11 Input Capture | 21 Security Software Discovery | Remote Desktop Protocol | 11 Input Capture | 2 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Software Packing | 1 Credentials in Registry | 1 Process Discovery | SMB/Windows Admin Shares | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 Application Window Discovery | Distributed Component Object Model | 1 Data from Local System | 3 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 System Network Configuration Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 1 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 13 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
68% | Virustotal | Browse | ||
69% | ReversingLabs | Win64.Trojan.Leonem | ||
100% | Avira | HEUR/AGEN.1361736 | ||
100% | Joe Sandbox ML |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
bg.microsoft.map.fastly.net | 199.232.210.172 | true | false | high | |
showip.net | 162.55.60.2 | true | false | high | |
pki-goog.l.google.com | 142.250.80.99 | true | false | high | |
c.pki.goog | unknown | unknown | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high | ||
false | high | ||
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
162.55.60.2 | showip.net | United States | 35893 | ACPCA | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1659277 |
Start date and time: | 2025-04-08 13:30:54 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 40s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 14 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | otq7hhgWfq.exerenamed because original name is a hash value |
Original Sample Name: | e1649d0d19476fa985709537ff729473ccd494de534f40329c6b1d25ef5e026f.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@7/59@3/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, d llhost.exe, SIHClient.exe, Sgr mBroker.exe, conhost.exe, svch ost.exe - Excluded IPs from analysis (wh
itelisted): 23.204.23.20, 172. 202.163.200, 199.232.210.172, 13.95.31.18, 13.85.23.206 - Excluded domains from analysis
(whitelisted): fs.microsoft.c om, slscr.update.microsoft.com , ctldl.windowsupdate.com.deli very.microsoft.com, ctldl.wind owsupdate.com, fs-wildcard.mic rosoft.com.edgekey.net, fs-wil dcard.microsoft.com.edgekey.ne t.globalredir.akadns.net, e166 04.dscf.akamaiedge.net, fe3cr. delivery.mp.microsoft.com, fe3 .delivery.mp.microsoft.com, gl b.cws.prod.dcat.dsp.trafficman ager.net, sls.update.microsoft .com, prod.fs.microsoft.com.ak adns.net, wu-b-net.trafficmana ger.net, glb.sls.prod.dcat.dsp .trafficmanager.net - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtQueryValueKey calls found. - Some HTTP raw data packets hav
e been limited to 10 per sessi on. Please view the PCAPs for the complete data.
Time | Type | Description |
---|---|---|
07:32:03 | API Interceptor |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.272509351228049 |
Encrypted: | false |
SSDEEP: | 6:tSWE1Xp0+E1Xp0+E1Xp0+7Z0+7Z0+7Z0+7Z0+7Z0+7Z0+7Z0+6dpx:tlmp0+mp0+mp0+90+90+90+90+90+905 |
MD5: | C47959B8242FE852F0BDC9178F6DC45C |
SHA1: | B98E2FB49A470CF3B25F090F2B0BA23A9891D98D |
SHA-256: | AA9E8D86273F6BCF7739360CF0BDD72952119A4EAFE8EBFCDF894D59770EB0FE |
SHA-512: | 4A6FE2BA0B987D8063CD62C6FD27AB0C19DC70EF1913B3A1A7970E17514A2AF6F4074C17E77FD93C4D6F4607CA189CD1F35366E0FCF93116B5267824B9A6A275 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.401268822386593 |
Encrypted: | false |
SSDEEP: | 6:tSWd0+d0+d0+K0+K0+K0+K0+K0+K0+K0+L1Zx:tld0+d0+d0+K0+K0+K0+K0+K0+K0+K0Y |
MD5: | A7762F2B6C609B1D20B5B2F7120B1B6F |
SHA1: | 2A15E49BC8124F2FF65AB35A755FA5D7E85684F2 |
SHA-256: | 22B0FA3D6D6F1DA6809CB525C3A2877A24E3128BC4A06AF1CEE1FDC6E5914119 |
SHA-512: | 464E37A077A8407469764B21BB5DAD08D5379C561EAABA78FF95A3EDFADF4585E2AF7888DA3029051483C8716F0FA942E60A8704464C58CB9A86FF3087B04CA5 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.304278802761717 |
Encrypted: | false |
SSDEEP: | 6:tSW2f0+2f0+2f0+2f0+2f0+2f0+eW0+eW0+eW0+eW0+eWx:tl2f0+2f0+2f0+2f0+2f0+2f0+eW0+ew |
MD5: | 2D4CD0D972C816D292FE201186958506 |
SHA1: | 04D6E12D15BFDE6E50DC4927C8C805DF940E9B56 |
SHA-256: | 5D347E5F612C4A307109E19C002441376BB95C8337549BF883D6B74FBE475D18 |
SHA-512: | 6B26C833E12BC2CC06D30FB0FCBB32FEADC3524750084C7B022D91EC427735D6DD14D4A48CEBBFD8617F2750495CC12FEAE52B52DB86723C139D40576F55AEF4 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.297135593859353 |
Encrypted: | false |
SSDEEP: | 6:tSWON0+YAdp0+YAdp0+YAdp0+YAdp0+YAdp0+YAdp0+YAdp0+TZ0+TZ0+TZx:tlI0+1dp0+1dp0+1dp0+1dp0+1dp0+1J |
MD5: | D1F0DC87B26629934BF22450AE4C6D0B |
SHA1: | 1E873F896BC25919A76A8678DE7FC875C5275EE8 |
SHA-256: | F95016BBB890E92284C783737737F6AE996C8A0D9DB20A6413BA213EC1232B48 |
SHA-512: | D789D2A47D44D02B71184C92879BF9E2659BA533C0FB408C3BA74123C5222E7CB2ECA728D8F77514398DE0560E17B7912BF1372EE9999B3B9872E938E9721754 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.362098822605423 |
Encrypted: | false |
SSDEEP: | 6:tSWvXp0+vXp0+vXp0+vXp0+vXp0+C0+C0+C0+C0+C0+Cx:tlvZ0+vZ0+vZ0+vZ0+vZ0+C0+C0+C0+C |
MD5: | 1A0FA39FBA370C6AD6352E4B2984D0DD |
SHA1: | 6B71F687D515C6A4F8533F1FB1F111D6ADEA253A |
SHA-256: | CF60A966D1DD6548E569867DEC0EC3FEA732AC7AE294599DD18B81819601D2BF |
SHA-512: | 530AC6110733940503D7AB1384D6BDB5F00FF3D1D2B2C2FD0FB645EA67B193DB0467643661ED3E29AA65F521F47786D74A0F573231D9CBC329A771DD24D293A1 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.310354046253363 |
Encrypted: | false |
SSDEEP: | 6:tSWQf0+Qf0+Qf0+Qf0+Qf0+Qf0+Qf0+A0+A0+A0+Ax:tlQf0+Qf0+Qf0+Qf0+Qf0+Qf0+Qf0+AS |
MD5: | CDEB921DAD317E3E339E206A0FF89C04 |
SHA1: | A7871923C1E7EA80A95EDBC991E7319911918A60 |
SHA-256: | 0A6A0870A201A7D937FFEB38AD7B047557D30CF2E853EE861F103A0B4DFA07E6 |
SHA-512: | 5EEEAC6DF6EBD172D5D7D9F4E007460345FA519109EDBD051B603A719F5DE32355089F96B0E704F2CF2286600AFF421261BAEBEDF32D723B5C616E3EC191E569 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.383210085083239 |
Encrypted: | false |
SSDEEP: | 6:tSWVjp0+Vjp0+Vjp0+Vjp0+Vjp0+Vjp0+uLZ0+uLZ0+uLZ0+uLZ0+uLZx:tlj0+j0+j0+j0+j0+j0+uN0+uN0+uN0K |
MD5: | 7F377A3FB9141942B8A6E4757F95B900 |
SHA1: | A2A46C66D4ADA27722E3CE10ABBB8A62FA496F21 |
SHA-256: | 79011C511DBC74B549356E62FB03EE8EC9EC4831EF160DA8C582A2FEE76A6941 |
SHA-512: | 2616ADDF0DAF61E1303F2FD3B97FCD8A0429D86E7A2F0F365C9CE7CEF3A593C0528539E97812D99BB21DE8B1ACFC2A455E55B8C1D92BBFC0147D0D8CE7AEA2F0 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 396 |
Entropy (8bit): | 4.345808164346669 |
Encrypted: | false |
SSDEEP: | 12:tlCCp0+CCp0+CCp0+CCp0+CCp0+/0+/0+/0+/0+/0+/0+/x:tlx++x++x++x++x++8+8+8+8+8+8+Z |
MD5: | C48E68C75C42D965017AA06209CABA92 |
SHA1: | 65EA3E4AEC695A2369CC3AEA427C54C8208029E9 |
SHA-256: | E00883A9D18F8C2985313AFA67DF8BAAE553B76D2AC3250313504471EC5148FF |
SHA-512: | 15A2D5F007B2B396D3858059BEBA7498CA5C01BAEAAE1301749BCECE49BDC8883D2C42EF18F8CFE76FCD32581E5C6F8AC341D0E1A86174287A0EB77E886F5C84 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.300027007245535 |
Encrypted: | false |
SSDEEP: | 6:tSW6dp0+6dp0+6dp0+6dp0+6dp0+6dp0+6dp0+1Z0+1Z0+1Z0+1Zx:tl6f0+6f0+6f0+6f0+6f0+6f0+6f0+ff |
MD5: | 8E39C0F417846FAF977CC63ACDA8B0FB |
SHA1: | 95A64687A2DB1A55F7DCF567912C7BCDC8999FDE |
SHA-256: | 32944E23F67867D8DA352AC1C61A6478D1C080E2127B62AE2228E8AAE8E3454A |
SHA-512: | 678F1883A07607620D138249C4C6427B45616B705A58B5157893329E8038A97D706D171858CEB88225FF0CAD680C2FB9E23096220FEFAA0A10A052A8151217D4 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.234751417603449 |
Encrypted: | false |
SSDEEP: | 6:tSWWCp0+WCp0+WCp0+WCp0+WCp0+WCp0+ON0+ON0+ON0+ON0+ONx:tlWW0+WW0+WW0+WW0+WW0+WW0+I0+I0h |
MD5: | 1F12CA40F1ACD9C56260ED7D0F6CC5EC |
SHA1: | AC3181DB90E85EB8DD6A04E60ACFE2C728D755B0 |
SHA-256: | FE55443816319D9BC9C527D00F4C0AAC510ECF6F2E972009430599F6124C582E |
SHA-512: | DEB9EAB83470C8FAE610C7FD94C59498C47A89CD1A6BA8559E35455AB8FF97B77C9A706BB3AA1ED1A8A117F9EA71F0B9625114D68F07D8883A188133AE0A4306 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 396 |
Entropy (8bit): | 4.373929164813413 |
Encrypted: | false |
SSDEEP: | 12:tleW0+eW0+O0+O0+O0+O0+O0+O0+O0+90+90+9x:tle7+e7+j+j+j+j+j+j+j+q+q+f |
MD5: | E080094F4269B17E04593E7B518BE543 |
SHA1: | E0C9F72F1AF0C9DB8AC2FF310A6F7FAB57006F66 |
SHA-256: | 1E294592088C1B1E1792AA8B0E77F6231FB815DD7A99D3BEAA434BC2AF357675 |
SHA-512: | 149ADE73FB25C9212D7C26A46AF4506C19AA72FDD739CC193AD87F7C760ED3E55EB0AF47D46C662F677BDB89758B0D19E5803550FBF26AA6FC0CBB0B1D5619E9 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 396 |
Entropy (8bit): | 4.324150299180992 |
Encrypted: | false |
SSDEEP: | 12:tlKAf0+KAf0+KAf0+KAf0+KAf0++N0++N0++N0++N0++N0++N0++Nx:tlY+Y+Y+Y+Y++a++a++a++a++a++a++P |
MD5: | 8E5EF3AC406C6A354114E2009FB09199 |
SHA1: | 3A0E6A4EB786A6FA2D9E6ADDEA6EE6A700044100 |
SHA-256: | E64B2AEA76E88DC042FA9ADB7D1D69864B690FD19AE92D8EE53506160B6CCAE9 |
SHA-512: | 561EEBF3DF2F77C6931CFC1FD8563282F1278570F496E2B241AB94E995D337E006CF7BB2355E6DE807777960C6D0F8FFF4F3C5BB42EFCF8362069D745678B35B |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.383210085083239 |
Encrypted: | false |
SSDEEP: | 6:tSWsN0+sN0+sN0+sN0+sN0+/0+/0+/0+/0+/0+/x:tlsN0+sN0+sN0+sN0+sN0+/0+/0+/0+N |
MD5: | 24FBF594E8FC81DB353A0CEF232E4E22 |
SHA1: | 086D002514E116FFEFBC03FA95177B94EE96F5D8 |
SHA-256: | E5A44D5585C1FA69B3D34BE9E498017C112C647A4C00A20048C347F7B02A56F9 |
SHA-512: | C9C640DB7A1367024241AA704E78C4EF5B5E7D184A5B40E471E384E5032450FFEE6E9DE2FE1CB0F29634729DB6497CDB0B0274AA82505393E60980B840A87D9A |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.326061136366424 |
Encrypted: | false |
SSDEEP: | 6:tSWTZ0+TZ0+TZ0+TZ0+Ap0+Ap0+Ap0+Ap0+Ap0+Ap0+Apx:tlF0+F0+F0+F0+c0+c0+c0+c0+c0+c03 |
MD5: | E92088EA99A2716E3E27D62F7C1E94D9 |
SHA1: | 44496D076858FCCBC7D4F0FFF8FB0297CBCB67AB |
SHA-256: | 32F01873BEA1F2769636261915EDD08F252B32535CEADC47F06B61097F47FCAE |
SHA-512: | 8B95AAB01598EA3775A6F3C2D93685CB5AB6131A7E1F8AEB8C89BABA5D13682CFB7976C42FC502CFDD57EB146BEFC0F6002D584867E525C24A0C68013908CAB6 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.3128275092660635 |
Encrypted: | false |
SSDEEP: | 6:tSWcW0+cW0+cW0+cW0+Yp0+Yp0+Yp0+Yp0+Yp0+Yp0+Ypx:tl90+90+90+90+U0+U0+U0+U0+U0+U0D |
MD5: | 03B5994DD57BBD36AEE509218632542A |
SHA1: | A87735F649DDEABDD0F9AA378FF09E7FDEFB8FBB |
SHA-256: | 405A83D2232BB419CEB6D4F214FDB0582CA4C5CCB52B68980D58EAB6821CD7A5 |
SHA-512: | 7A7960A45C4C63E4BD15CBB16205E0C4AA684A4C897E2EA879BEB563FD7BB94811DF1FFF7EABCADF7A0F4B74C8E4713B865C7355379A11810052574B22F26745 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.326061136366423 |
Encrypted: | false |
SSDEEP: | 6:tSWm1Z0+m1Z0+m1Z0+m1Z0+dZ0+dZ0+dZ0+dZ0+dZ0+dZ0+dZx:tlyZ0+yZ0+yZ0+yZ0+dZ0+dZ0+dZ0+d9 |
MD5: | 26BA895928CD75513402D31D4D949304 |
SHA1: | 438EA470758D7E9A0E5E64AAEA5A03F7A087E48F |
SHA-256: | 0EC972C2984EA38C600732AA9D09738591A5335DE12D4F5D797B80A1C0CF5B71 |
SHA-512: | A97AA6353872A0329AEB8B474FFF6E7D33FF28ABFCC7B9F92E7FF671C0AB6B981AF480C34835F199901E6CFB93906C3158553F24C5545A686EC1521D33CBC71C |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.340662761780532 |
Encrypted: | false |
SSDEEP: | 6:tSW8Xp0+h0+h0+h0+h0+h0+h0+h0+m1Z0+m1Z0+m1Zx:tl8Z0+h0+h0+h0+h0+h0+h0+h0+yZ0+N |
MD5: | 9027C8945A680EA8AFDD96B32326F7A0 |
SHA1: | 65321CE86DD9FE6E7FBD06B6ED54D2DE73C657EB |
SHA-256: | F62844E6EBBABB0035B7D43C1B7BED810F478C40A0B492002D292259021AF13B |
SHA-512: | C175EE43ECB2649CDE67BA7A64707334551EC28564A720C53DA66570AD566D4B3ADB82BCD12EB60B10051A5A6D5EF9B99DD73CAAEF266BC3C235B7CF8605FC8D |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 396 |
Entropy (8bit): | 4.328374648923587 |
Encrypted: | false |
SSDEEP: | 12:tlL0+L0+a0+a0+a0+a0+a0+a0+a0+t0+t0+tx:tlg+g+X+X+X+X+X+X+X+6+6+v |
MD5: | 6EF2D1F6CA5D9490E3B7DC67D921C8F7 |
SHA1: | 088980867243A5A72EDB30104A49584362E9808D |
SHA-256: | 5824B41C93E9C010675FBA63910EE68CBF1929F0A08B2817E24825A00B28059C |
SHA-512: | 484AAA159921255E07F786A248424F680982CC775A8047301927EBA1AB10D94B2963F3EE9100DD23781188BFC83EEC06F327B114611C63CD2D02BA0288E9B06C |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 330 |
Entropy (8bit): | 4.216045112342437 |
Encrypted: | false |
SSDEEP: | 6:tSWq0+q0+q0+q0+q0+SUN0+SUN0+SUN0+SUN0+SUNx:tlq0+q0+q0+q0+q0+SUN0+SUN0+SUN0E |
MD5: | 28FE2087B941B3926C7B8207CAE36DF4 |
SHA1: | B90D7017DA0850E878A539B6B98208B5DDEA87BF |
SHA-256: | 561774D5BF5403CE21B79F45B0B4B99D50F05998F2419674A42D17FFECD72DF5 |
SHA-512: | 5291F65889D318125DEE26639BC96A652892417B6771255218DC921306AFC64D52C05C3889CCF97326308E39011E792454A5373EEF3D72C6C8A6DB672D8791B1 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.362098822605423 |
Encrypted: | false |
SSDEEP: | 6:tSW+f0++f0++f0++f0++f0++f0+L0+L0+L0+L0+Lx:tl+f0++f0++f0++f0++f0++f0+L0+L00 |
MD5: | 21C6EA43BD6FEF37A35E3153644EEFE2 |
SHA1: | 3E2E8FC14CD30B88C99B848DEE846DEEFAD3D873 |
SHA-256: | 37219030D6D8B1EA2043F51250263976243E78F6411EBD777AADF44DD7EC8932 |
SHA-512: | 5F0545970381D12E50FF22D1BB80E9FA0E0A3E846F0525FB75BD6F477A64B05C75631B7B8F35970C797906681656FD19D1A8534B715C671C4816BDAA3A4590E4 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.3128275092660635 |
Encrypted: | false |
SSDEEP: | 6:tSWaW0+aW0+aW0+aW0+aW0+aW0+aW0+Ef0+Ef0+Ef0+Efx:tlaW0+aW0+aW0+aW0+aW0+aW0+aW0+Sg |
MD5: | 5B3019AF824743F188381CBE2977135F |
SHA1: | 55DF80A52D16F3BE4A29F45416B29EF8CFFD26AE |
SHA-256: | 08BA8A1957AAD6FB2B31AC223D20C19BF92A4354CD16D6A05FA44E3B91A5F68E |
SHA-512: | 2424F34BDA07780EDC67569E7D2C217273A21F52D5E05015ACF99FDFD67AFA6FFFD8D6A0A22D70A52CBCF66657087CF81D9069B41DEA844D51F7E538B4695757 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.27241143636508 |
Encrypted: | false |
SSDEEP: | 6:tSWUUN0+UUN0+UUN0+EN0+EN0+EN0+EN0+EN0+EN0+EN0+WCpx:tlPN0+PN0+PN0+G0+G0+G0+G0+G0+G0L |
MD5: | EB09138E7F676D5C9730E150E2FEBD50 |
SHA1: | FA583CFFADBBBF1E36261E243C5F060B216E1FE5 |
SHA-256: | BC2ADD6522EC71D3CAAB2187262D5473ECA6FA8BC90296A00F71853E54547EE4 |
SHA-512: | C60AA0324C4607E7989FB06570A5EFD6F8ADD6565E6910A7A4968146ED909169B0F449470C3319CF4C67624D7AB7FC74B0ED628390DC6868F2E8477C74F0532B |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 396 |
Entropy (8bit): | 4.302686940200454 |
Encrypted: | false |
SSDEEP: | 12:tlS0+S0+S0+B0+B0+B0+B0+B0+B0+B0+2f0+2fx:tl/+/+/+G+G+G+G+G+G+G+V+q |
MD5: | F7A64953A40E5FE8DB03B31B9CC054EE |
SHA1: | 5943561DB20B2999A04F50E822B040BA6F56F638 |
SHA-256: | 35B9B6CFE0DDD6ABD5D11500537A7FCB0058FFB802E653A2F6A00598A1503A23 |
SHA-512: | A8C664D690E7D1DBB9FAF85C6445105D5E2B08076A1A935A1ADE72313D53D4B327ED77E0D9EF1DE3C397CE190ECA6E980467D740AB0D2C47783E4B3426DD70C1 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 396 |
Entropy (8bit): | 4.376805146216213 |
Encrypted: | false |
SSDEEP: | 12:tl+p0++p0++p0+y0+y0+y0+y0+y0+y0+y0+y0+jx:tlH+H+H+f+f+f+f+f+f+f+f+N |
MD5: | 9FA8AA829EBE89CFEE2DF6281EA23363 |
SHA1: | BF18E76EA209B2491EE3F565313004332E74733A |
SHA-256: | 47E594C05156418B79B41BC202ECBA3671735F026061AB9E3390472E76544438 |
SHA-512: | AA86A1ACB70C166FF66E765209527B99EDAA9525BFF20FECF87C9402FB77CBBF547B9ADCEF06F10F448F5A097BB1157C8ACAFC1F4006CF64FAE55DD42B1C7E48 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.378838917669008 |
Encrypted: | false |
SSDEEP: | 6:tSW+0++0++0++0++0++0+AW0+AW0+AW0+AW0+AWx:tl+0++0++0++0++0++0+J0+J0+J0+J0y |
MD5: | DD58C631055883E2D9DDC2A17EC79C65 |
SHA1: | C3FA2E052A3941C3F0E38410B5DFB1064CB3C782 |
SHA-256: | 2719557FE30D79A6F68A62599911091E1258300A0E34B28E080893024FC03C09 |
SHA-512: | E623438811CD78524670128173C11F9D8E65F1427FEC2EF623C7A5772A81A55FC7AE25005CC04ACEACC7FF645AE4193FB95DB0282DCD054C7EF973683AC4D3EA |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.322604024477179 |
Encrypted: | false |
SSDEEP: | 6:tSWE0+E0+E0+E0+E0+E0+M4dp0+M4dp0+M4dp0+M4dp0+M4dpx:tlE0+E0+E0+E0+E0+E0+5f0+5f0+5f0c |
MD5: | DA39BBDC4FE5B20648D6AE36F4772A4D |
SHA1: | F713EFD035CABBBBB53E5F2E6A6EE48CC6D0DAEF |
SHA-256: | DA8FAEBAB68B0F273D86BB2058EB7FD902CD607113C564B57A5183C332D7F14F |
SHA-512: | 114F222984E5E1F982A01BC897C2E0B934174AA08B3DFC58F7B631DEDA65FC0C5F5C14842DA0B9477FE5AA81D4F0A9B8C7860D189F6A13AA6DA33F6C9FC3CC15 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.405942340369826 |
Encrypted: | false |
SSDEEP: | 6:tSWAW0+AW0+Onf0+Onf0+Onf0+Onf0+Onf0+Onf0+Onf0+B0+Bx:tlJ0+J0+w0+w0+w0+w0+w0+w0+w0+B0q |
MD5: | F9D5A008E5139C724F704DB07A4DE7E0 |
SHA1: | FA876A871E46F15EE96B7EAF07235773188F7113 |
SHA-256: | 4ED19A6FB3DE3CA9127C5DC4CA57953CC24F3AC3E37FD9E53A1A421AF444E1AA |
SHA-512: | 20D23B482B369260BC03FD8AA039518D83799167A431BD62C2BBD7959A7B252C2859AFD33E72952AFE8FCB4A6E3787D3DECA8F44F69C0678403611551A469EA2 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.291604530587578 |
Encrypted: | false |
SSDEEP: | 6:tSWef0+C0+C0+C0+C0+C0+C0+C0+KUZf0+KUZf0+KUZfx:tlef0+C0+C0+C0+C0+C0+C0+C0+KAf0c |
MD5: | D3AB829770847503A172A7FFEB6A2694 |
SHA1: | 00937D9BC00A54697299396DA4FF3BCF95D90707 |
SHA-256: | 2A8B8062FCDB859A595630E940AC1DE8E6633923E33E215854D9B1A742423F1D |
SHA-512: | 696791AD999C7772281FA5C6399D6E1E4D17ECE23386A30C7C8A22704A2C08951D1FD4D2DF0ED5B83359CA00CB8894B044793A55019E8B91B849458524CEBD8C |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.362098822605423 |
Encrypted: | false |
SSDEEP: | 6:tSWt0+t0+t0+t0+t0+eZ0+eZ0+eZ0+eZ0+eZ0+eZx:tlt0+t0+t0+t0+t0+E0+E0+E0+E0+E0v |
MD5: | 293EC2F84B01BAD99A5B46C3319855D6 |
SHA1: | 10FD3435F04C5C9DF03A94491321A1459DA12750 |
SHA-256: | 8CF8E473ADDA04F4EE58C928DB616DF9F07023854ABE51F9844F6C38D4439564 |
SHA-512: | B292A5D765FBDD3594C965ECD1E2BA2A1F4E6694A3F3570842A867056AE77745B5D2D26B0462DC9DA7C894F7FC097E7A8DA8D9E230037DE808FF4BAA67568B24 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 330 |
Entropy (8bit): | 4.288480152909674 |
Encrypted: | false |
SSDEEP: | 6:tSWd0+d0+adp0+adp0+adp0+adp0+adp0+adp0+j0+jx:tld0+d0+4p0+4p0+4p0+4p0+4p0+4p0E |
MD5: | 4B61CCE9D340D8E77F34C856F40F1512 |
SHA1: | A61FCE4ABCDDAABD744C494395DBAD4FA819037A |
SHA-256: | 7960E729F5D9104204C8DE97922108F33CFD0148D527D415483E607A6A84E0B5 |
SHA-512: | CE90A8ED63C294E39973C793176D426E04982C8364DD741FF843428AED6545660AC55C24E6BBE63E5B42F4F204BC4EE66FBE048C551344976F33B94924333CB3 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 396 |
Entropy (8bit): | 4.398612087820528 |
Encrypted: | false |
SSDEEP: | 12:tl/0+00+00+00+00+00+00+00+d0+d0+d0+dx:tl8+J+J+J+J+J+J+J+K+K+K+/ |
MD5: | 5BAB7EC4A04243E28BB346FB022D95B1 |
SHA1: | 5B0DCE210496F1FF063307B110B19E836B3DBB3C |
SHA-256: | BC6534D2971827851C1B1CF3D75F99BB9C9035341B595AA1361E9DEA580D5E50 |
SHA-512: | 4721EDE0AA62361D0DDB1D9C7ED8CC5E03FF1192DB9B167E7BD540F06946B05F26AF030F67C9C9412EB7FF345EF6658BBB838953E14FCB15C88F54EA814A873B |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 396 |
Entropy (8bit): | 4.268343431737297 |
Encrypted: | false |
SSDEEP: | 12:tlGnf0+D0+D0+D0+D0+D0+D0+D0+mp0+mp0+mp0+mpx:tlGnc+I+I+I+I+I+I+I+/+/+/+8 |
MD5: | 3C7ED92EA903812DAC7C1001A5A9A6A4 |
SHA1: | CB8A0F0BFF7BBF8CA0BE019AAB8362D144A11D2D |
SHA-256: | EC07F46FBF905FB96FC9B9F5015AC8D32BAADC33BA7935ED4C5508C4E77806BA |
SHA-512: | F11DD46AA9326629059A28FF4B4FE39680C9E2468153EF525835B2FEA5E6D051185F1637A0722F7EAB747482E69F694D50C0217F345BD59B5ADC152E1D5EA1C9 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.387894949224467 |
Encrypted: | false |
SSDEEP: | 6:tSWIW0+IW0+2f0+2f0+2f0+2f0+2f0+2f0+2f0+KW0+KWx:tlx0+x0+40+40+40+40+40+40+40+KWT |
MD5: | 468C09C08EA09A3BBE46E3B7E68824D1 |
SHA1: | 6CEC43775292CC552E895AC3EEEDBFEB30A559E6 |
SHA-256: | 52E0A886956634730F997E37AAE31EB578D3D199EFDA9AAEF7D43D1871E852EC |
SHA-512: | 695292975BFC68BF1C235F232F2F173584F0D899197193AFF1F28EAC673D67BF2459F8069D53DF64CF9F5EB2A4644C78A6D9F0997A27C5DAED2B953F4210C2A7 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 396 |
Entropy (8bit): | 4.270554828954459 |
Encrypted: | false |
SSDEEP: | 12:tlSUN0+s0+s0+s0+s0+s0+s0+s0+PN0+PN0+PN0+PNx:tlta+R+R+R+R+R+R+R+S+S+S+n |
MD5: | 10322AA7C357F1305521464202C98583 |
SHA1: | B6A38228CFF6A280DC3A31C822EFBA9349A00E63 |
SHA-256: | 8963309C583BFEB0870A1BFA1687A237A27C770515F41F3BE532D9D66B80DA2B |
SHA-512: | 0E8A6E6703C1D1DD6C21F95A22C5AD18F637271E992B5CCD0FE20778AC3EDEB879CF7E32792E6357C86C571D8848CFDD01F5ED4726067D5F3E230D8EAD7EF7D5 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 396 |
Entropy (8bit): | 4.340652808831324 |
Encrypted: | false |
SSDEEP: | 12:tlXdp0+Xdp0+Xdp0+40+40+40+40+40+40+40+40+vZx:tlXd++Xd++Xd++l+l+l+l+l+l+l+l+z |
MD5: | 515383FBD9C5F7F9912715B4A7E3CD4D |
SHA1: | C305F27E02A4E509662B62D8D940CEEE832CEBE0 |
SHA-256: | B1294FBC1B30AC5EF1CE69A7506AB416394D556A9E2B864A6A5F29AB36A57D0B |
SHA-512: | C7C840A2A95788D38CD1A8BD4CF7036AF981A7CB5C9DAC5550E8EE959C514ECC5F50E1F4A28A5BAA9791BD1197F33BF0794F682EE1D32C09FB271CEA0122DDA6 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 396 |
Entropy (8bit): | 4.263101964183938 |
Encrypted: | false |
SSDEEP: | 12:tlA0+A0+A0+Z0+Z0+Z0+Z0+Z0+Z0+Z0+q0+qx:tld+d+d+O+O+O+O+O+O+O+H+k |
MD5: | 9BF3EFE4F2B055B3109EC80AE229E947 |
SHA1: | C229C0AAFB04DADF609162C7F405DA3A6EBE90A6 |
SHA-256: | 0004A67AB0036CCC7842862CFE717495FC2A610551C441654B15195A2FD2F22B |
SHA-512: | 5828F4CAA7D94DB02DC37DD294F027D133A2EEB35E291CBFA51D36582C483B4068BCA36CA432C0E8A46A883579458AC83A5D90766F14E8F6BD89B324053010E5 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 396 |
Entropy (8bit): | 4.3579410869724615 |
Encrypted: | false |
SSDEEP: | 12:tlU0+SW0+SW0+SW0+SW0+SW0+SW0+SW0++p0++p0++p0++px:tlp+Q+Q+Q+Q+Q+Q+Q+H+H+H+k |
MD5: | FA62669A16B4922F6482FBD1760B1168 |
SHA1: | 8C5F826146D66DE32626342E8394B53074BC58C4 |
SHA-256: | 108221C4DF910B69BEA39224582F62E08A66F443B9695C940435E270280DB83C |
SHA-512: | 2C335DCC33F09B55CD466743FB601C35E808B56FB24DB0CA4B11B1DBF19207F1C3CE0D941436E4C7B79C6ADEF07B4736FE1D67062FFFB94483D942F8466160DB |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.259539517141877 |
Encrypted: | false |
SSDEEP: | 6:tSW+0++0++0++0++0++0++0++0+Xndp0+Xndp0+Xndpx:tl+0++0++0++0++0++0++0++0+Xdp0+b |
MD5: | B9E52032F30249E62EBCF87242BFEF36 |
SHA1: | 44A0612CD873CD286C2A44EBBF72B937E3D3A553 |
SHA-256: | 4623A8E877EDBE6C95005AC2F1D2A4BE6E27D31D8EBA557827D66947E26474D8 |
SHA-512: | 28ABE9C79E9C72DA5C5E453849F48331A24A1105DB0245679543CF7C1C9E28E447BFDC1A36D08D38763281EED562D74FDB24059C9817B6128C8B962B7E317E92 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.3411211513875125 |
Encrypted: | false |
SSDEEP: | 6:tSWuLZ0+uLZ0+h0+h0+h0+h0+h0+h0+sN0+sN0+sNx:tluN0+uN0+h0+h0+h0+h0+h0+h0+sN0O |
MD5: | CBD65E9AE1A36221B0FADE281999D59D |
SHA1: | 66D98A2EEAEEA69AE2A56533574FC184C85FAA36 |
SHA-256: | C82479DAF213B8401A6192F86673EC5422588E859B2BA43B7599D853DC2DBDEC |
SHA-512: | 220CDBBAAD5174A0CFCD109E0E8DC1832E1CF00E96DC8DE20569FB5718A264A50BA8C36E2CBC422438401D175FF6D221E767C7538A1F3442B2C9A67894157A1D |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.31626960487185 |
Encrypted: | false |
SSDEEP: | 6:tSWtZ0+tZ0+tZ0+tZ0+tZ0+tZ0+tZ0+20+20+20+2x:tlH0+H0+H0+H0+H0+H0+H0+20+20+20R |
MD5: | F64A6E03CBED329B8C052119CEBD1E10 |
SHA1: | 80653C2D2656678E011A66128BDBD0AEFCE76079 |
SHA-256: | 11B79063ADBA8FC3F5638A17B3E2FE45B9D710926F78AFC2954BCC12596B0D19 |
SHA-512: | EB1CEA81420F8A8030443310AAAADB29972594EF849B133795D8F5DAE9487F8F965B834D06F23B1E23F9C16794865F77ED660C39DC274B57971C54195C1A1F53 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.313786262077451 |
Encrypted: | false |
SSDEEP: | 6:tSWC0+jZLZ0+jZLZ0+jZLZ0+jZLZ0+jZLZ0+jZLZ0+jZLZ0+jZLZ0+GZ0+GZx:tlC0+lLZ0+lLZ0+lLZ0+lLZ0+lLZ0+lJ |
MD5: | EFD9DB9C8F5D9E7EF787D6671AFC5125 |
SHA1: | 28103CFD909DAEEB7CA3D143B26A3CD0AF22192B |
SHA-256: | 870FCC2A1AC2C24C590D04E4C67A6826E7BF3592E7FCCE5B7D51E5DFC049F4B2 |
SHA-512: | E714E4B5C0AB7A4072DF36844488CE6791974B228A8C96741662FE2345BC4983D5E5D84FB38A030F553DE4FBED5BF14594C6F4EEEA390A3ED1328A6A6C028B25 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.250074507250172 |
Encrypted: | false |
SSDEEP: | 6:tSWB0+B0+B0+B0+B0+Gn1Z0+Gn1Z0+Gn1Z0+Gn1Z0+Gn1Z0+Gn1Zx:tlB0+B0+B0+B0+B0+Gnf0+Gnf0+Gnf0t |
MD5: | A0621758CDCDFDE013A77939D9E3EC9F |
SHA1: | FCC0321A1A713115D9F215E73CCCCE767B73AAB0 |
SHA-256: | BD39A6A7319538789C91392708755EE804683F7728DD797A8EC6BE0E6B0C0284 |
SHA-512: | 249D0FC894D90156F1EA3DACA5F51CB1877CA6FBA54364B8BC8475F59545A230D893D8B96CE218469E4D24BB8B8A278EE78BCB67A00872EED155148225AE1C61 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 396 |
Entropy (8bit): | 4.2677685883175265 |
Encrypted: | false |
SSDEEP: | 12:tlf0+f0+f0+O0+O0+O0+O0+O0+O0+O0+Z0+Zx:tlc+c+c+j+j+j+j+j+j+j+O+L |
MD5: | B2C47EA907BF1C50E9AD4C36FF244507 |
SHA1: | 022C79A02C4F205669A0FF13801B95AB45B9BFAA |
SHA-256: | 9D78C89439C75C41B9FC06042D23B7C157CDD9954AAA6871FEC98FABA25819AC |
SHA-512: | 17346BE3CB93E6E90A78CE7FCAFF4B2FBA0577D096C25FD385AC3D092504B21FB964B031F75AA8B6135EB804218E47747B7BF2115661245E659069469FC80C36 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 396 |
Entropy (8bit): | 4.310765932660567 |
Encrypted: | false |
SSDEEP: | 12:tlkN0+kN0+kN0+kN0+kN0+kN0+kN0+kN0+2W0+2W0+2W0+2Wx:tlka+ka+ka+ka+ka+ka+ka+ka+27+27E |
MD5: | 2F6F2EEE2DBBE071CFAFA56CEBBC5352 |
SHA1: | 13A76893B5BE40FD464DBCE3AEC7486A4DB1B269 |
SHA-256: | E646021FE1793D8F7DA7C19D7D54DE4B3136207640898CAD06B22B02C6FBB2A3 |
SHA-512: | 77D09C8B6F903F5F24530A7E53F515BAE6E864A34A23BEBF775E8DB2DB6C6A1ECEA503C52F75E3FE5FF2CF56774B96C8078B2E09246627415E9315D151192D54 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 396 |
Entropy (8bit): | 4.361669687610703 |
Encrypted: | false |
SSDEEP: | 12:tlj0+j0+j0+j0+j0+8Z0+8Z0+8Z0+8Z0+8Z0+8Z0+8Zx:tlo+o+o+o+o+f+f+f+f+f+f+c |
MD5: | B4C087AF02AA9AE1317496C782032843 |
SHA1: | 591FC362D4D11BF16517EAF56F5D98B911E6F6D8 |
SHA-256: | 6FC6F6AB51AFCAD3548D451FC80174B25E90D4B1A4E24041AF3B6D059AF350E1 |
SHA-512: | 82A89EC1EA86104785004ABA82BC7C8931E1417F5B8F8D8CAEF8DDAA0CFD7CECAA6BA6C294A714BF5D07E7A2EE7C4BB140B5BD92F6ED044A19E5FEADFEDD75D5 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.413332212703753 |
Encrypted: | false |
SSDEEP: | 6:tSWL1Z0+L1Z0+L1Z0+L1Z0+L1Z0+L1Z0+IW0+IW0+IW0+IW0+IWx:tl70+70+70+70+70+70+x0+x0+x0+x0q |
MD5: | EEB7ADA805D79BB8836DBC1F2185D5F8 |
SHA1: | 3DC3FA65E23C6E5D2F33B5B560C4C6D59154D96E |
SHA-256: | 29C858AF534B3C7FE40E5CC2C95D2D29B2A82CB7618E0470CF38E670F30602FE |
SHA-512: | 39B6BC9F93194EDB3C9DB380F306B54DA1314D738E275ED10F05B9C1FCDE657BA0A14DB44A168E3A7CB7D41A142DA074DDE02317262FDA6B6BE5811B74442FFB |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 396 |
Entropy (8bit): | 4.348987127077085 |
Encrypted: | false |
SSDEEP: | 12:tl5f0+5f0+a0+a0+a0+a0+a0+a0+a0+a0+CCp0+CCpx:tl5c+5c+X+X+X+X+X+X+X+X+x++x7 |
MD5: | 62F6FDB2C731BD260CC699521888ABCC |
SHA1: | 2E206981DDBC472F443F5CF711CE4290FEF808B0 |
SHA-256: | 01323046B0A36F441DD67907F2EB41351D32630DFFA010EEBE899FE0343C0D62 |
SHA-512: | 9739F594B756B8A77F73E209B02F8BDE797B1BEAB03872FA4C4A2B8058C9C49254A71F3F34061447276A18BE6FFE62A5D2CF706ECB5E1C72E2BCB7E149EE94F3 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 396 |
Entropy (8bit): | 4.2846475929103 |
Encrypted: | false |
SSDEEP: | 12:tl20+20+20+J0+J0+J0+J0+J0+J0+J0+J0++fx:tlb+b+b+e+e+e+e+e+e+e+e+C |
MD5: | D747260ED3B271592F9C53C9DAD27C25 |
SHA1: | C5C4DD7191A255AD74D13A47B525F92389776F5F |
SHA-256: | 4521AAF4BC439852A18C4FB60FCC6C395EBABA277C4BB7DD28C212CF31A57129 |
SHA-512: | 8AA1D8C6004E1F73E11711EF74FB49D0D1F7CD64A1D117A69685EE67C2C0F103B5C5D0D35D1D35887AC55E8ED51807535F3F218DA30B1321BAC690394C7A941E |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 396 |
Entropy (8bit): | 4.359803841471409 |
Encrypted: | false |
SSDEEP: | 12:tlGZ0+GZ0+GZ0+GZ0+/N0+/N0+/N0+/N0+/N0+/N0+/N0+/Nx:tlGO+GO+GO+GO+i+i+i+i+i+i+i+3 |
MD5: | 821166C360402AC8C561796E4BEEDDAE |
SHA1: | E553854916648FAAB8A52A9E969A64BA13ABB753 |
SHA-256: | E8CE71759384F9354732AD46AA4945D6AD607C9672B862B5143D870490AF8E32 |
SHA-512: | 78A59A7C7F5DD7F058924D6636EF8615CFDBB319F0EEBAEA2121B5A8CC667C46E775379860FDEAF88D0AE59F7D413DF73EB8601721F06C95E91653EFE0F6746C |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 396 |
Entropy (8bit): | 4.324150299180992 |
Encrypted: | false |
SSDEEP: | 12:tlu0+u0+u0+u0+u0+u0+u0+d0+d0+d0+d0+dx:tlD+D+D+D+D+D+D+K+K+K+K+/ |
MD5: | C1CB54B9BE3E1724F5C05C79A644FE15 |
SHA1: | 912AF0583F1F8520206A2E60079D24941F15744E |
SHA-256: | 89677509FC1CB6D6C83A612EC22146E59394AA5FC3F67C1CBE65C0956EE5D7B9 |
SHA-512: | 9A1EE573F1B2A1DD345D3CC83CCC28BB262CAD32AFFAF41091167CD4E99C5689171F4446AF8BC93A890254C6A21AAF42A0B3F2858B745BE2CDF94556766A88CE |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.301492761999363 |
Encrypted: | false |
SSDEEP: | 6:tSWZ0+Z0+Z0+Z0+Z0+ef0+ef0+ef0+ef0+ef0+efx:tlZ0+Z0+Z0+Z0+Z0+ef0+ef0+ef0+ef7 |
MD5: | 8B8E307E97990EB4F3D3A7FDCE904F02 |
SHA1: | E1530F277450A1F5D5BB7E998A1DC91B63689C59 |
SHA-256: | F19ADC5EA54413E47A892EBFF22434D46FF73D9816954ABA24E1A4DF4B463683 |
SHA-512: | E92E4D5DDAEBAD4794AB4499FD600C309CB02514C7B4384CF959B045ABC053C43C1F3B0D63266EBE5BEBD0B2245CC89BB50A9528F27E28DF4F60E3F98699B5AC |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 7755 |
Entropy (8bit): | 4.437556142431081 |
Encrypted: | false |
SSDEEP: | 192:3Y+Y+P+P+P+P+P+P+P+x+x+x+x+x+x+x+y+y+y+y+y+y+y+r+r+r+r+r+r+r+r+b:3Y+Y+P+P+P+P+P+P+P+x+x+x+x+x+x+M |
MD5: | 2B5A3CFB503ABD6CED9108CEF05C717D |
SHA1: | 26ACEECB5C8D381B597753A208C8BAAD5593A4E1 |
SHA-256: | 5A99D81EDE5DF5D1040402CCD511E4BA0283B6A0961827A2E26FB21B9A9DA7DA |
SHA-512: | 963B183ECEB32081521A80FAAF53AEFEF5FFA485C14107E2104024FFD81B932951ADBF1F7DF546845030FA05AA1E90F11DCA3CFD70286F1D263F31121C95977C |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.339344119540764 |
Encrypted: | false |
SSDEEP: | 6:tSWKW0+KW0+KW0+KW0+KW0+Wp0+Wp0+Wp0+Wp0+Wp0+Wpx:tlKW0+KW0+KW0+KW0+KW0+C0+C0+C0+m |
MD5: | A3AD96DCDD643840886D7B23A19348C3 |
SHA1: | 5C9F012763EDAD11159186E66AC1A25C5BA0CDCA |
SHA-256: | 955718CA891DA4C47B429497AE91A961405A3A24576ABE6A820FBB2DE70EB85A |
SHA-512: | 6A380F273E75845A5AB8B40C6F7F24AE07BD15D044E9012F1988115A025FAF7D6220F2E252F34070EF904ACB0D781CCE37C25D19A229D182CFA43FF40F8A602D |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 396 |
Entropy (8bit): | 4.388415015075818 |
Encrypted: | false |
SSDEEP: | 12:tlIp0+Ip0+Ip0+OW0+OW0+OW0+OW0+OW0+OW0+OW0+OW0++x:tl5+5+5+O7+O7+O7+O7+O7+O7+O7+O75 |
MD5: | 85EFBAF6A7F4044FBD858B6642A09C7E |
SHA1: | F528908B8A74BF38403BF4D9C2D46973C0545B74 |
SHA-256: | 1D5B1E1665004E3C0D37B4B2EF0A1571B3C9E4B3AA3BB6C25ADDD4C7E4EF41A0 |
SHA-512: | 61E9B30BD2AA59941DED008EA8D7DD2D63719BAF98887A164948AE99E81A8A60C881CFD3C70DE8DA01A241BCF3F780F1DE99EA6D41C1CF0F66A3AF814025E73C |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 396 |
Entropy (8bit): | 4.385768233458961 |
Encrypted: | false |
SSDEEP: | 12:tlC0+t0+t0+t0+t0+t0+t0+t0+Ip0+Ip0+Ip0+Ipx:tlP+6+6+6+6+6+6+6+5+5+5+W |
MD5: | BB9A084C1F26FE62ED9FB29B17ECF7AB |
SHA1: | 62F2AEBB93027A71C80AECE40BB50FB884BB6F98 |
SHA-256: | 65D7671C4E8B14C84F83C7DB22ABD1574F8B7CFBF0A7B56468F801E9A6343566 |
SHA-512: | 7EFF87AC5DD85EBB2C6C6DC6F41F6A3BB569BFC5F1473DC90E1470888380CC989F6D6084EB7EFAF6AD9D188FAF2718D1BB7D9801E88FF8CBC1AE06F138839FFD |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.369572771702385 |
Encrypted: | false |
SSDEEP: | 6:tSW8N0+8N0+8N0+OW0+OW0+OW0+OW0+OW0+OW0+OW0+Ex:tl8N0+8N0+8N0+OW0+OW0+OW0+OW0+Of |
MD5: | 8251A194E9F4C556083D636547FD538E |
SHA1: | 87B16E8C8BB5F2036C178BC59AC65C312D80993E |
SHA-256: | 18B155858928C2DF969DEEAA5FCA3D29D70E169B970B02B968AE0CA395955084 |
SHA-512: | 9FF6A3D6CCD3D400B0B9A4F9A95AEA0CC6029C064ED4CC23E66A039BA7531673B961DC9E7F4D38FABFFFAE32E44F07D6A561BCE0C82F4295A1B046EC7553D479 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 363 |
Entropy (8bit): | 4.304278802761717 |
Encrypted: | false |
SSDEEP: | 6:tSWI4nf0+I4nf0+I4nf0+I4nf0+I4nf0+I4nf0+8N0+8N0+8N0+8N0+8Nx:tlFf0+Ff0+Ff0+Ff0+Ff0+Ff0+8N0+8i |
MD5: | EF8318B7913A52FDA7076BE4C785372B |
SHA1: | 12330FC04E15F8AD1FEE318F84AA1E374528B806 |
SHA-256: | 06412A0642357B348D9927E707642DF4F936CFA63DCD0E46F93582DE1F292D49 |
SHA-512: | F4D5D3EE513A8D5241B3680EABECA0FF586FBCD00E7026237E4C9D4BC58DEF3FB7681EE9F73A867C3C467855628DD4E66BB83DA26397C93F70FD8B2146B859EF |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 51200 |
Entropy (8bit): | 0.8745947603342119 |
Encrypted: | false |
SSDEEP: | 96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4 |
MD5: | 378391FDB591852E472D99DC4BF837DA |
SHA1: | 10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0 |
SHA-256: | 513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808 |
SHA-512: | F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 196608 |
Entropy (8bit): | 1.124003908482409 |
Encrypted: | false |
SSDEEP: | 384:KUM2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:Kkq+n0E91LyKOMq+8iP5GLP/0 |
MD5: | 9BAA153ED70603FD15DF786AC77CA09F |
SHA1: | 44545D11CD105F8581D462A9FB010E9E8B7F7E9C |
SHA-256: | B65E528EB61299BFF399BC1087E2CBEAC836EC20A783EDC379606212CAEAA9BD |
SHA-512: | 74B18EF4ED04AEB447E724BD6C0E1B88D047E5A7C7FA891C1F18FC4F012327BA0BB39E0C4E404E506F3D587D101513FA0B586AEEB23CD1F159611D15B9637F91 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.589835484876056 |
TrID: |
|
File name: | otq7hhgWfq.exe |
File size: | 809'000 bytes |
MD5: | d7ebf3ef787a3fb57a1a0fa793d0b2ab |
SHA1: | 959b4e0de4ee49034442e02fe1a0a5979217b1a4 |
SHA256: | e1649d0d19476fa985709537ff729473ccd494de534f40329c6b1d25ef5e026f |
SHA512: | 9a24df95a762d4efd9b8d23d9e1d4dc99561a80bc20f5302c8e882242f51c42a4fd3f8883956109e5d7dc35e468e9e9adc2eeed2896736cf0d00f0c5da5b1688 |
SSDEEP: | 12288:xIR5x+u6RfbWYCrt/22puGGh6abmMbvZwPO5ICuAEHuTwBJtkQhp4SZ8qQFK9qWR:13WYatucdvl/XJbhzZ8qhqlPVPtq2Nyt |
TLSH: | 6605D1AFB5A72484FD625C30AEE87610DF67387ACE16DAF2069590302E361D1EC56F13 |
File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...(z.g.........."..................\.........@..........................................`........................................ |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x140035cb0 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x140000000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x67E57A28 [Thu Mar 27 16:17:44 2025 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 8beb5ca1ff83475ee16fa1a921765aab |
Signature Valid: | false |
Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
Signature Validation Error: | The digital signature of the object did not verify |
Error Number: | -2146869232 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 5F1B6B6C408DB2B4D60BAA489E9A0E5A |
Thumbprint SHA-1: | 15F760D82C79D22446CC7D4806540BF632B1E104 |
Thumbprint SHA-256: | 28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D |
Serial: | 0997C56CAA59055394D9A9CDB8BEEB56 |
Instruction |
---|
dec eax |
sub esp, 28h |
call 00007F2CD88E7450h |
dec eax |
add esp, 28h |
jmp 00007F2CD88E707Fh |
int3 |
int3 |
dec eax |
sub esp, 28h |
call 00007F2CD88E7214h |
dec eax |
neg eax |
sbb eax, eax |
neg eax |
dec eax |
dec eax |
add esp, 28h |
ret |
int3 |
inc eax |
push ebx |
dec eax |
sub esp, 20h |
dec eax |
cmp dword ptr [000206EEh], FFFFFFFFh |
dec eax |
mov ebx, ecx |
jne 00007F2CD88E7209h |
call 00007F2CD88EB371h |
jmp 00007F2CD88E7211h |
dec eax |
mov edx, ebx |
dec eax |
lea ecx, dword ptr [000206D8h] |
call 00007F2CD88EB2D4h |
xor edx, edx |
test eax, eax |
dec eax |
cmove edx, ebx |
dec eax |
mov eax, edx |
dec eax |
add esp, 20h |
pop ebx |
ret |
int3 |
int3 |
dec eax |
sub esp, 18h |
dec esp |
mov eax, ecx |
mov eax, 00005A4Dh |
cmp word ptr [FFFCA2D5h], ax |
jne 00007F2CD88E727Ah |
dec eax |
arpl word ptr [FFFCA308h], cx |
dec eax |
lea edx, dword ptr [FFFCA2C5h] |
dec eax |
add ecx, edx |
cmp dword ptr [ecx], 00004550h |
jne 00007F2CD88E7261h |
mov eax, 0000020Bh |
cmp word ptr [ecx+18h], ax |
jne 00007F2CD88E7256h |
dec esp |
sub eax, edx |
movzx edx, word ptr [ecx+14h] |
dec eax |
add edx, 18h |
dec eax |
add edx, ecx |
movzx eax, word ptr [ecx+06h] |
dec eax |
lea ecx, dword ptr [eax+eax*4] |
dec esp |
lea ecx, dword ptr [edx+ecx*8] |
dec eax |
mov dword ptr [esp], edx |
dec ecx |
cmp edx, ecx |
je 00007F2CD88E721Ah |
mov ecx, dword ptr [edx+0Ch] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x52848 | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x58000 | 0x156c | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0xc3200 | 0x2628 | .cSs |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x5e000 | 0x688 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x4a1e0 | 0x140 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x52ad8 | 0x268 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x48365 | 0x48400 | a1b902d81c50b41226313e2baebc1486 | False | 0.4831652789792388 | data | 6.395288971671145 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x4a000 | 0xa57c | 0xa600 | cd2bab3b908abd1e5c983b0728f4af58 | False | 0.45620764307228917 | data | 5.017278619936885 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x55000 | 0x2138 | 0xc00 | 5fe7d7ec89d4e05cba28a650951efdcf | False | 0.158203125 | data | 2.2504156670554667 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x58000 | 0x156c | 0x1600 | f3fbec576d56de90d32788bfc51ee622 | False | 0.4753196022727273 | data | 5.463944585783601 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.gxfg | 0x5a000 | 0x13d0 | 0x1400 | b3ddcfcf5948356499a0220c6cb2480d | False | 0.434765625 | PGP symmetric key encrypted data - Plaintext or unencrypted data | 5.094957146805024 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.retplne | 0x5c000 | 0x8c | 0x200 | 8c950f651287cbc1296bcb4e8cd7e990 | False | 0.126953125 | data | 1.050583247971927 | |
_RDATA | 0x5d000 | 0x1f4 | 0x200 | ab77f6ffbb38af2478befaa05538d3b6 | False | 0.53515625 | data | 4.23018233870101 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x5e000 | 0x688 | 0x800 | f1bdac277c233bae372527f3cbb3caf0 | False | 0.513671875 | data | 4.982690986029319 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
.cSs | 0x5f000 | 0x6c000 | 0x6c000 | 99fa9fa555132630fb54bccd84e8ab70 | False | 1.0003187391493056 | data | 7.999587123582853 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
DLL | Import |
---|---|
KERNEL32.dll | CloseHandle, CreateFileA, CreateFileW, DeleteCriticalSection, EncodePointer, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlsAlloc, FlsFree, FlsGetValue, FlsSetValue, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadFile, RtlCaptureContext, RtlLookupFunctionEntry, RtlPcToFileHeader, RtlUnwindEx, RtlVirtualUnwind, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WideCharToMultiByte, WriteConsoleW, WriteFile |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-04-08T13:31:49.344989+0200 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.6 | 49686 | 162.55.60.2 | 80 | TCP |
- Total Packets: 57
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 8, 2025 13:31:47.388206005 CEST | 49672 | 443 | 192.168.2.6 | 204.79.197.203 |
Apr 8, 2025 13:31:47.699861050 CEST | 49672 | 443 | 192.168.2.6 | 204.79.197.203 |
Apr 8, 2025 13:31:48.309240103 CEST | 49672 | 443 | 192.168.2.6 | 204.79.197.203 |
Apr 8, 2025 13:31:48.985435963 CEST | 49686 | 80 | 192.168.2.6 | 162.55.60.2 |
Apr 8, 2025 13:31:49.164244890 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:31:49.164335012 CEST | 49686 | 80 | 192.168.2.6 | 162.55.60.2 |
Apr 8, 2025 13:31:49.165051937 CEST | 49686 | 80 | 192.168.2.6 | 162.55.60.2 |
Apr 8, 2025 13:31:49.344049931 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:31:49.344875097 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:31:49.344892979 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:31:49.344913960 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:31:49.344989061 CEST | 49686 | 80 | 192.168.2.6 | 162.55.60.2 |
Apr 8, 2025 13:31:49.345014095 CEST | 49686 | 80 | 192.168.2.6 | 162.55.60.2 |
Apr 8, 2025 13:31:49.345015049 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:31:49.345094919 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:31:49.345109940 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:31:49.345149994 CEST | 49686 | 80 | 192.168.2.6 | 162.55.60.2 |
Apr 8, 2025 13:31:49.345163107 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:31:49.345177889 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:31:49.345204115 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:31:49.345216036 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:31:49.345225096 CEST | 49686 | 80 | 192.168.2.6 | 162.55.60.2 |
Apr 8, 2025 13:31:49.345251083 CEST | 49686 | 80 | 192.168.2.6 | 162.55.60.2 |
Apr 8, 2025 13:31:49.348154068 CEST | 49686 | 80 | 192.168.2.6 | 162.55.60.2 |
Apr 8, 2025 13:31:49.512473106 CEST | 49672 | 443 | 192.168.2.6 | 204.79.197.203 |
Apr 8, 2025 13:31:49.523912907 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:31:49.523935080 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:31:49.523947954 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:31:49.523961067 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:31:49.523972988 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:31:49.524019957 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:31:49.524034977 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:31:49.524122000 CEST | 49686 | 80 | 192.168.2.6 | 162.55.60.2 |
Apr 8, 2025 13:31:49.524122000 CEST | 49686 | 80 | 192.168.2.6 | 162.55.60.2 |
Apr 8, 2025 13:31:49.524122000 CEST | 49686 | 80 | 192.168.2.6 | 162.55.60.2 |
Apr 8, 2025 13:31:49.524137974 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:31:49.524152040 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:31:49.524164915 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:31:49.524178028 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:31:49.524190903 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:31:49.524193048 CEST | 49686 | 80 | 192.168.2.6 | 162.55.60.2 |
Apr 8, 2025 13:31:49.524230957 CEST | 49686 | 80 | 192.168.2.6 | 162.55.60.2 |
Apr 8, 2025 13:31:51.918765068 CEST | 49672 | 443 | 192.168.2.6 | 204.79.197.203 |
Apr 8, 2025 13:31:55.983304977 CEST | 49678 | 443 | 192.168.2.6 | 20.42.65.91 |
Apr 8, 2025 13:31:56.293658972 CEST | 49678 | 443 | 192.168.2.6 | 20.42.65.91 |
Apr 8, 2025 13:31:56.731230021 CEST | 49672 | 443 | 192.168.2.6 | 204.79.197.203 |
Apr 8, 2025 13:31:56.903084993 CEST | 49678 | 443 | 192.168.2.6 | 20.42.65.91 |
Apr 8, 2025 13:31:58.106158972 CEST | 49678 | 443 | 192.168.2.6 | 20.42.65.91 |
Apr 8, 2025 13:32:00.512413979 CEST | 49678 | 443 | 192.168.2.6 | 20.42.65.91 |
Apr 8, 2025 13:32:04.704322100 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:32:04.704376936 CEST | 49686 | 80 | 192.168.2.6 | 162.55.60.2 |
Apr 8, 2025 13:32:05.324918032 CEST | 49678 | 443 | 192.168.2.6 | 20.42.65.91 |
Apr 8, 2025 13:32:06.083837986 CEST | 49694 | 80 | 192.168.2.6 | 142.250.80.99 |
Apr 8, 2025 13:32:06.177040100 CEST | 80 | 49694 | 142.250.80.99 | 192.168.2.6 |
Apr 8, 2025 13:32:06.177344084 CEST | 49694 | 80 | 192.168.2.6 | 142.250.80.99 |
Apr 8, 2025 13:32:06.177498102 CEST | 49694 | 80 | 192.168.2.6 | 142.250.80.99 |
Apr 8, 2025 13:32:06.270411015 CEST | 80 | 49694 | 142.250.80.99 | 192.168.2.6 |
Apr 8, 2025 13:32:06.271215916 CEST | 80 | 49694 | 142.250.80.99 | 192.168.2.6 |
Apr 8, 2025 13:32:06.271295071 CEST | 80 | 49694 | 142.250.80.99 | 192.168.2.6 |
Apr 8, 2025 13:32:06.271476984 CEST | 49694 | 80 | 192.168.2.6 | 142.250.80.99 |
Apr 8, 2025 13:32:06.277004957 CEST | 49694 | 80 | 192.168.2.6 | 142.250.80.99 |
Apr 8, 2025 13:32:06.340559006 CEST | 49672 | 443 | 192.168.2.6 | 204.79.197.203 |
Apr 8, 2025 13:32:06.373426914 CEST | 80 | 49694 | 142.250.80.99 | 192.168.2.6 |
Apr 8, 2025 13:32:06.419203043 CEST | 49694 | 80 | 192.168.2.6 | 142.250.80.99 |
Apr 8, 2025 13:32:14.934504032 CEST | 49678 | 443 | 192.168.2.6 | 20.42.65.91 |
Apr 8, 2025 13:32:19.956146955 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:32:19.956244946 CEST | 49686 | 80 | 192.168.2.6 | 162.55.60.2 |
Apr 8, 2025 13:32:31.856461048 CEST | 49684 | 80 | 192.168.2.6 | 23.203.176.221 |
Apr 8, 2025 13:32:31.856535912 CEST | 49682 | 80 | 192.168.2.6 | 23.203.176.221 |
Apr 8, 2025 13:32:31.856584072 CEST | 49683 | 80 | 192.168.2.6 | 199.232.214.172 |
Apr 8, 2025 13:32:31.856615067 CEST | 49685 | 80 | 192.168.2.6 | 23.39.37.29 |
Apr 8, 2025 13:32:31.950731993 CEST | 80 | 49685 | 23.39.37.29 | 192.168.2.6 |
Apr 8, 2025 13:32:31.950822115 CEST | 49685 | 80 | 192.168.2.6 | 23.39.37.29 |
Apr 8, 2025 13:32:31.951360941 CEST | 80 | 49683 | 199.232.214.172 | 192.168.2.6 |
Apr 8, 2025 13:32:31.951545000 CEST | 80 | 49683 | 199.232.214.172 | 192.168.2.6 |
Apr 8, 2025 13:32:31.951594114 CEST | 49683 | 80 | 192.168.2.6 | 199.232.214.172 |
Apr 8, 2025 13:32:31.952001095 CEST | 80 | 49684 | 23.203.176.221 | 192.168.2.6 |
Apr 8, 2025 13:32:31.952075005 CEST | 49684 | 80 | 192.168.2.6 | 23.203.176.221 |
Apr 8, 2025 13:32:31.952119112 CEST | 80 | 49682 | 23.203.176.221 | 192.168.2.6 |
Apr 8, 2025 13:32:31.952159882 CEST | 49682 | 80 | 192.168.2.6 | 23.203.176.221 |
Apr 8, 2025 13:32:35.135641098 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:32:35.135752916 CEST | 49686 | 80 | 192.168.2.6 | 162.55.60.2 |
Apr 8, 2025 13:32:50.315818071 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:32:50.316194057 CEST | 49686 | 80 | 192.168.2.6 | 162.55.60.2 |
Apr 8, 2025 13:33:05.523868084 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:33:05.523973942 CEST | 49686 | 80 | 192.168.2.6 | 162.55.60.2 |
Apr 8, 2025 13:33:06.405693054 CEST | 443 | 49681 | 2.23.227.215 | 192.168.2.6 |
Apr 8, 2025 13:33:06.405719042 CEST | 443 | 49681 | 2.23.227.215 | 192.168.2.6 |
Apr 8, 2025 13:33:06.405966043 CEST | 49681 | 443 | 192.168.2.6 | 2.23.227.215 |
Apr 8, 2025 13:33:06.559736013 CEST | 49694 | 80 | 192.168.2.6 | 142.250.80.99 |
Apr 8, 2025 13:33:06.652569056 CEST | 80 | 49694 | 142.250.80.99 | 192.168.2.6 |
Apr 8, 2025 13:33:06.652647018 CEST | 49694 | 80 | 192.168.2.6 | 142.250.80.99 |
Apr 8, 2025 13:33:21.337060928 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:33:21.337218046 CEST | 49686 | 80 | 192.168.2.6 | 162.55.60.2 |
Apr 8, 2025 13:33:36.521392107 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:33:36.521477938 CEST | 49686 | 80 | 192.168.2.6 | 162.55.60.2 |
Apr 8, 2025 13:33:38.669568062 CEST | 49686 | 80 | 192.168.2.6 | 162.55.60.2 |
Apr 8, 2025 13:33:38.848614931 CEST | 80 | 49686 | 162.55.60.2 | 192.168.2.6 |
Apr 8, 2025 13:33:38.848741055 CEST | 49686 | 80 | 192.168.2.6 | 162.55.60.2 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 8, 2025 13:31:48.700417995 CEST | 59628 | 53 | 192.168.2.6 | 1.1.1.1 |
Apr 8, 2025 13:31:48.978553057 CEST | 53 | 59628 | 1.1.1.1 | 192.168.2.6 |
Apr 8, 2025 13:32:05.982707024 CEST | 62315 | 53 | 192.168.2.6 | 1.1.1.1 |
Apr 8, 2025 13:32:06.080605984 CEST | 53 | 62315 | 1.1.1.1 | 192.168.2.6 |
Apr 8, 2025 13:32:18.623868942 CEST | 51834 | 53 | 192.168.2.6 | 1.1.1.1 |
Apr 8, 2025 13:32:18.723809004 CEST | 53 | 51834 | 1.1.1.1 | 192.168.2.6 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Apr 8, 2025 13:31:48.700417995 CEST | 192.168.2.6 | 1.1.1.1 | 0x522f | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 8, 2025 13:32:05.982707024 CEST | 192.168.2.6 | 1.1.1.1 | 0x40a3 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 8, 2025 13:32:18.623868942 CEST | 192.168.2.6 | 1.1.1.1 | 0x2d7c | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Apr 8, 2025 13:31:48.978553057 CEST | 1.1.1.1 | 192.168.2.6 | 0x522f | No error (0) | 162.55.60.2 | A (IP address) | IN (0x0001) | false | ||
Apr 8, 2025 13:32:05.677352905 CEST | 1.1.1.1 | 192.168.2.6 | 0xb100 | No error (0) | 199.232.210.172 | A (IP address) | IN (0x0001) | false | ||
Apr 8, 2025 13:32:05.677352905 CEST | 1.1.1.1 | 192.168.2.6 | 0xb100 | No error (0) | 199.232.214.172 | A (IP address) | IN (0x0001) | false | ||
Apr 8, 2025 13:32:06.080605984 CEST | 1.1.1.1 | 192.168.2.6 | 0x40a3 | No error (0) | pki-goog.l.google.com | CNAME (Canonical name) | IN (0x0001) | false | ||
Apr 8, 2025 13:32:06.080605984 CEST | 1.1.1.1 | 192.168.2.6 | 0x40a3 | No error (0) | 142.250.80.99 | A (IP address) | IN (0x0001) | false | ||
Apr 8, 2025 13:32:18.723809004 CEST | 1.1.1.1 | 192.168.2.6 | 0x2d7c | No error (0) | pki-goog.l.google.com | CNAME (Canonical name) | IN (0x0001) | false | ||
Apr 8, 2025 13:32:18.723809004 CEST | 1.1.1.1 | 192.168.2.6 | 0x2d7c | No error (0) | 142.251.41.3 | A (IP address) | IN (0x0001) | false |
|
Click to jump to process
Target ID: | 0 |
Start time: | 07:31:46 |
Start date: | 08/04/2025 |
Path: | C:\Users\user\Desktop\otq7hhgWfq.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff644240000 |
File size: | 809'000 bytes |
MD5 hash: | D7EBF3EF787A3FB57A1A0FA793D0B2AB |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 07:31:47 |
Start date: | 08/04/2025 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x120000 |
File size: | 262'432 bytes |
MD5 hash: | 8FDF47E0FF70C40ED3A17014AEEA4232 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 2 |
Start time: | 07:31:47 |
Start date: | 08/04/2025 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x200000 |
File size: | 262'432 bytes |
MD5 hash: | 8FDF47E0FF70C40ED3A17014AEEA4232 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 07:31:47 |
Start date: | 08/04/2025 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xe50000 |
File size: | 262'432 bytes |
MD5 hash: | 8FDF47E0FF70C40ED3A17014AEEA4232 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Has exited: | false |