Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
VoaY6Clwfh.exe

Overview

General Information

Sample name:VoaY6Clwfh.exe
renamed because original name is a hash value
Original sample name:60a51d420d7d48fe4b9667fb893de3b168138632fbea1ae9267db2be4b607e14.exe
Analysis ID:1632199
MD5:c7fecb5f0eaaeb4b308fa53e27b6fac8
SHA1:dc48cf73cec4ac6e71c23c577b81cdf4683c7a7c
SHA256:60a51d420d7d48fe4b9667fb893de3b168138632fbea1ae9267db2be4b607e14
Tags:AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
Check if machine is in data center or colocation facility
Joe Sandbox ML detected suspicious sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • VoaY6Clwfh.exe (PID: 7508 cmdline: "C:\Users\user\Desktop\VoaY6Clwfh.exe" MD5: C7FECB5F0EAAEB4B308FA53E27B6FAC8)
    • MSBuild.exe (PID: 7756 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.chinaplasticsac.com", "Username": "fileme@chinaplasticsac.com", "Password": "8ZBcRV7dC~bT            "}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1329151593.00000000041CD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.1329151593.00000000041CD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.1338141352.0000000005A40000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000006.00000002.2529966193.0000000002915000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000006.00000002.2526883031.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.VoaY6Clwfh.exe.5a40000.7.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              2.2.VoaY6Clwfh.exe.5a40000.7.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                2.2.VoaY6Clwfh.exe.41e3250.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  2.2.VoaY6Clwfh.exe.41e3250.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    2.2.VoaY6Clwfh.exe.41e3250.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x32ab1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x32b23:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x32bad:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x32c3f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x32ca9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x32d1b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x32db1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x32e41:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                    Click to see the 6 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Silenttrinity Stager Msbuild Activity
                    Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 208.95.112.1, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7756, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49687

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: VoaY6Clwfh.exeAvira: detected
                    Found malware configuration
                    Source: 6.2.MSBuild.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.chinaplasticsac.com", "Username": "fileme@chinaplasticsac.com", "Password": "8ZBcRV7dC~bT "}
                    Multi AV Scanner detection for submitted file
                    Source: VoaY6Clwfh.exeVirustotal: Detection: 47%Perma Link
                    Source: VoaY6Clwfh.exeReversingLabs: Detection: 44%
                    Joe Sandbox ML detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: VoaY6Clwfh.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: VoaY6Clwfh.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: VoaY6Clwfh.exe, 00000002.00000002.1329151593.00000000040DF000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000004157000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1340022400.00000000061C0000.00000004.08000000.00040000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: VoaY6Clwfh.exe, 00000002.00000002.1329151593.00000000040DF000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000004157000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1340022400.00000000061C0000.00000004.08000000.00040000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: VoaY6Clwfh.exe, 00000002.00000002.1338831614.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003F28000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003FA1000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: VoaY6Clwfh.exe, 00000002.00000002.1338831614.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003F28000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003FA1000.00000004.00000800.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h2_2_02DC082C
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 4x nop then jmp 05B6BE39h2_2_05B6BDD8
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 4x nop then jmp 05B6BE39h2_2_05B6BDC8
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 4x nop then jmp 05B6BE39h2_2_05B6BFBF
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 4x nop then jmp 05B6B6E7h2_2_05B6B688
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 4x nop then jmp 05B6B6E7h2_2_05B6B679
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.215
                    Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.215
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
                    Source: global trafficHTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: c.pki.goog
                    Source: VoaY6Clwfh.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: VoaY6Clwfh.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                    Source: VoaY6Clwfh.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: VoaY6Clwfh.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: VoaY6Clwfh.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: VoaY6Clwfh.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                    Source: VoaY6Clwfh.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: VoaY6Clwfh.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: VoaY6Clwfh.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                    Source: MSBuild.exe, 00000006.00000002.2529966193.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2529966193.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2529966193.00000000029BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: VoaY6Clwfh.exe, 00000002.00000002.1329151593.00000000041CD000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003F28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2529966193.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2529966193.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2528526488.0000000000CFD000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2526883031.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: VoaY6Clwfh.exeString found in binary or memory: http://ocsp.digicert.com0
                    Source: VoaY6Clwfh.exeString found in binary or memory: http://ocsp.digicert.com0A
                    Source: VoaY6Clwfh.exeString found in binary or memory: http://ocsp.digicert.com0C
                    Source: VoaY6Clwfh.exeString found in binary or memory: http://ocsp.digicert.com0X
                    Source: VoaY6Clwfh.exe, 00000002.00000002.1310707607.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2529966193.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2529966193.00000000029A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: VoaY6Clwfh.exeString found in binary or memory: http://www.digicert.com/CPS0
                    Source: VoaY6Clwfh.exe, 00000002.00000002.1329151593.00000000041CD000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003F28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2526883031.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: VoaY6Clwfh.exe, 00000002.00000002.1338831614.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003F28000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                    Source: VoaY6Clwfh.exe, 00000002.00000002.1338831614.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003F28000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                    Source: VoaY6Clwfh.exe, 00000002.00000002.1338831614.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003F28000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                    Source: VoaY6Clwfh.exe, 00000002.00000002.1338831614.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003F28000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                    Source: VoaY6Clwfh.exe, 00000002.00000002.1310707607.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1338831614.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003F28000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                    Source: VoaY6Clwfh.exe, 00000002.00000002.1338831614.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003F28000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49680
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 2.2.VoaY6Clwfh.exe.41e3250.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 2.2.VoaY6Clwfh.exe.41e3250.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_0585FE38 NtResumeThread,2_2_0585FE38
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_0585FE31 NtResumeThread,2_2_0585FE31
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_02DC12D02_2_02DC12D0
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_02DC12A72_2_02DC12A7
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_02DC18582_2_02DC1858
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_02DC18562_2_02DC1856
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_057F3DD82_2_057F3DD8
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_057F7CDB2_2_057F7CDB
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_057FDFE82_2_057FDFE8
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_057FF8302_2_057FF830
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_057F63682_2_057F6368
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_057FC2602_2_057FC260
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_057F07182_2_057F0718
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_057F07132_2_057F0713
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_057FA0E02_2_057FA0E0
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_057FA0CF2_2_057FA0CF
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_057FF3A82_2_057FF3A8
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_057FC2502_2_057FC250
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_058124902_2_05812490
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_058124582_2_05812458
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_058545F82_2_058545F8
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_0585A62B2_2_0585A62B
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_058589B02_2_058589B0
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_058545E82_2_058545E8
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05859CA02_2_05859CA0
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_0585942C2_2_0585942C
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_058594532_2_05859453
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_058589A02_2_058589A0
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_0585901F2_2_0585901F
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_058592BE2_2_058592BE
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_058F00072_2_058F0007
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_058F00402_2_058F0040
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_058F5FE02_2_058F5FE0
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_058F5FF02_2_058F5FF0
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_058F928F2_2_058F928F
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_058F66A82_2_058F66A8
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_058FE6782_2_058FE678
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05AEB7E82_2_05AEB7E8
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05AE7DD02_2_05AE7DD0
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05AE3CE02_2_05AE3CE0
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05AE1A402_2_05AE1A40
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05AE80F72_2_05AE80F7
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05AE93D82_2_05AE93D8
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05AE4A392_2_05AE4A39
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05AE1A302_2_05AE1A30
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05AE4A482_2_05AE4A48
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05B6F7E82_2_05B6F7E8
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05B684382_2_05B68438
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05B6F7DA2_2_05B6F7DA
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05CFFAC02_2_05CFFAC0
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05CFE1682_2_05CFE168
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05CE00402_2_05CE0040
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05CE00062_2_05CE0006
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_00C6A4C86_2_00C6A4C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_00C6D9706_2_00C6D970
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_00C64AC06_2_00C64AC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_00C63EA86_2_00C63EA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_00C641F06_2_00C641F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_054C14086_2_054C1408
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_054C36686_2_054C3668
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_054C3D506_2_054C3D50
                    Source: VoaY6Clwfh.exe, 00000002.00000002.1329151593.00000000041CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2ef0ab37-7f3e-4594-af6b-a038ff0febc5.exe4 vs VoaY6Clwfh.exe
                    Source: VoaY6Clwfh.exe, 00000002.00000002.1329151593.00000000040DF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs VoaY6Clwfh.exe
                    Source: VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000004157000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs VoaY6Clwfh.exe
                    Source: VoaY6Clwfh.exe, 00000002.00000002.1310707607.0000000002F21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs VoaY6Clwfh.exe
                    Source: VoaY6Clwfh.exe, 00000002.00000002.1338831614.0000000005B10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs VoaY6Clwfh.exe
                    Source: VoaY6Clwfh.exe, 00000002.00000000.1284214265.0000000000482000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVmaatinyfkd.exeP vs VoaY6Clwfh.exe
                    Source: VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000004024000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMpuwuftvi.dll" vs VoaY6Clwfh.exe
                    Source: VoaY6Clwfh.exe, 00000002.00000002.1310707607.00000000032EB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2ef0ab37-7f3e-4594-af6b-a038ff0febc5.exe4 vs VoaY6Clwfh.exe
                    Source: VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003F28000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs VoaY6Clwfh.exe
                    Source: VoaY6Clwfh.exe, 00000002.00000002.1309216190.000000000124E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs VoaY6Clwfh.exe
                    Source: VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003FA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs VoaY6Clwfh.exe
                    Source: VoaY6Clwfh.exe, 00000002.00000002.1340022400.00000000061C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs VoaY6Clwfh.exe
                    Source: VoaY6Clwfh.exe, 00000002.00000002.1335760544.00000000055B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMpuwuftvi.dll" vs VoaY6Clwfh.exe
                    Source: VoaY6Clwfh.exeBinary or memory string: OriginalFilenameVmaatinyfkd.exeP vs VoaY6Clwfh.exe
                    Source: VoaY6Clwfh.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 2.2.VoaY6Clwfh.exe.41e3250.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 2.2.VoaY6Clwfh.exe.41e3250.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 2.2.VoaY6Clwfh.exe.4107288.3.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                    Source: 2.2.VoaY6Clwfh.exe.4107288.3.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                    Source: 2.2.VoaY6Clwfh.exe.4107288.3.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                    Source: 2.2.VoaY6Clwfh.exe.4107288.3.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                    Source: 2.2.VoaY6Clwfh.exe.4107288.3.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                    Source: 2.2.VoaY6Clwfh.exe.4107288.3.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: 2.2.VoaY6Clwfh.exe.4107288.3.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 2.2.VoaY6Clwfh.exe.4107288.3.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 2.2.VoaY6Clwfh.exe.4107288.3.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 2.2.VoaY6Clwfh.exe.4107288.3.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/0@2/1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                    Source: VoaY6Clwfh.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: MSBuild.exe, 00000006.00000002.2529966193.00000000029ED000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2529966193.00000000029DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: VoaY6Clwfh.exeVirustotal: Detection: 47%
                    Source: VoaY6Clwfh.exeReversingLabs: Detection: 44%
                    Source: VoaY6Clwfh.exeString found in binary or memory: The object state cannot be changed. This exception may result from one or more of the primary key properties being set to null. Non-Added objects cannot have null primary key values. See inner exception for details.
                    Source: VoaY6Clwfh.exeString found in binary or memory: Could not load assembly '{0}'. (If you are using Code First Migrations inside Visual Studio this can happen if the startUp project for your solution does not reference the project that contains your migrations. You can either change the startUp project for your solution or use the -StartUpProjectName parameter.)
                    Source: VoaY6Clwfh.exeString found in binary or memory: , name: %, clustered: false-addForeignKeyOperation
                    Source: VoaY6Clwfh.exeString found in binary or memory: }-addPrimaryKeyOperation
                    Source: unknownProcess created: C:\Users\user\Desktop\VoaY6Clwfh.exe "C:\Users\user\Desktop\VoaY6Clwfh.exe"
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: VoaY6Clwfh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: VoaY6Clwfh.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: VoaY6Clwfh.exeStatic file information: File size 63963136 > 1048576
                    Source: VoaY6Clwfh.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x735c00
                    Source: VoaY6Clwfh.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: VoaY6Clwfh.exe, 00000002.00000002.1329151593.00000000040DF000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000004157000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1340022400.00000000061C0000.00000004.08000000.00040000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: VoaY6Clwfh.exe, 00000002.00000002.1329151593.00000000040DF000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000004157000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1340022400.00000000061C0000.00000004.08000000.00040000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: VoaY6Clwfh.exe, 00000002.00000002.1338831614.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003F28000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003FA1000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: VoaY6Clwfh.exe, 00000002.00000002.1338831614.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003F28000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003FA1000.00000004.00000800.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 2.2.VoaY6Clwfh.exe.4107288.3.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 2.2.VoaY6Clwfh.exe.4107288.3.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 2.2.VoaY6Clwfh.exe.4107288.3.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                    Source: 2.2.VoaY6Clwfh.exe.5b10000.8.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                    Source: 2.2.VoaY6Clwfh.exe.5b10000.8.raw.unpack, ListDecorator.cs.Net Code: Read
                    Source: 2.2.VoaY6Clwfh.exe.5b10000.8.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                    Source: 2.2.VoaY6Clwfh.exe.5b10000.8.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                    Source: 2.2.VoaY6Clwfh.exe.5b10000.8.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                    Yara detected Costura Assembly Loader
                    Source: Yara matchFile source: 2.2.VoaY6Clwfh.exe.5a40000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.VoaY6Clwfh.exe.5a40000.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.1338141352.0000000005A40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1310707607.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: VoaY6Clwfh.exe PID: 7508, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_02DC1849 pushad ; ret 2_2_02DC1855
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05816DB5 push esi; retf 2_2_05816DB6
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05816D54 push esi; retf 2_2_05816D56
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_0585D0DF pushad ; ret 2_2_0585D0E5
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05858B35 push ebp; ret 2_2_05858B36
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05AED582 pushfd ; retf 2_2_05AED589
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05B6EAB6 push es; iretd 2_2_05B6EAB9
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05CD0391 push edx; retf 2_2_05CD039E
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05CD095F push ebx; retf 2_2_05CD098C
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05CE1D57 push esp; iretd 2_2_05CE1D5B
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05CE1C9B push esp; iretd 2_2_05CE1C9C
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeCode function: 2_2_05CE1E27 push esp; iretd 2_2_05CE1E2B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_054CC840 push es; ret 6_2_054CC850
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: VoaY6Clwfh.exe PID: 7508, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: VoaY6Clwfh.exe, 00000002.00000002.1329151593.00000000041CD000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1310707607.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003F28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2529966193.0000000002915000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2526883031.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2529966193.00000000029BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeMemory allocated: 2CE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeMemory allocated: 2F20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeMemory allocated: 2CE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: C60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 28E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: DC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: MSBuild.exe, 00000006.00000002.2529966193.00000000029BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: MSBuild.exe, 00000006.00000002.2529966193.00000000029BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: VoaY6Clwfh.exe, 00000002.00000002.1310707607.0000000002F21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q 1:en-CH:Microsoft|VMWare|Virtual
                    Source: VoaY6Clwfh.exe, 00000002.00000002.1310707607.0000000002F21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                    Source: VoaY6Clwfh.exe, 00000002.00000002.1310707607.0000000002F21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q 1:en-CH:VMware|VIRTUAL|A M I|Xen
                    Source: VoaY6Clwfh.exe, 00000002.00000002.1310707607.0000000002F21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                    Source: MSBuild.exe, 00000006.00000002.2526883031.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBox
                    Source: MSBuild.exe, 00000006.00000002.2528526488.0000000000D22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeQueries volume information: C:\Users\user\Desktop\VoaY6Clwfh.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\VoaY6Clwfh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 2.2.VoaY6Clwfh.exe.41e3250.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.VoaY6Clwfh.exe.41e3250.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.1329151593.00000000041CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2526883031.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1329151593.0000000003F28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: VoaY6Clwfh.exe PID: 7508, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7756, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 2.2.VoaY6Clwfh.exe.41e3250.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.VoaY6Clwfh.exe.41e3250.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.1329151593.00000000041CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2529966193.0000000002915000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2526883031.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1329151593.0000000003F28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: VoaY6Clwfh.exe PID: 7508, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7756, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 2.2.VoaY6Clwfh.exe.41e3250.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.VoaY6Clwfh.exe.41e3250.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.1329151593.00000000041CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2526883031.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1329151593.0000000003F28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: VoaY6Clwfh.exe PID: 7508, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7756, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		11
                    Process Injection                    		24
                    Virtualization/Sandbox Evasion                    		1
                    OS Credential Dumping                    		431
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		12
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter                    		1
                    DLL Side-Loading                    		1
                    Scheduled Task/Job                    		1
                    Disable or Modify Tools                    		LSASS Memory24
                    Virtualization/Sandbox Evasion                    		Remote Desktop Protocol1
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Scheduled Task/Job                    		Logon Script (Windows)1
                    DLL Side-Loading                    		11
                    Process Injection                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin Shares1
                    Data from Local System                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                    Obfuscated Files or Information                    		NTDS1
                    System Network Configuration Discovery                    		Distributed Component Object ModelInput Capture3
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Software Packing                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials34
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    VoaY6Clwfh.exe48%VirustotalBrowse
                    VoaY6Clwfh.exe45%ReversingLabsByteCode-MSIL.Trojan.LummaStealer
                    VoaY6Clwfh.exe100%AviraTR/Kryptik.wzowt

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    bg.microsoft.map.fastly.net
                    		199.232.210.172
                    		truefalse
                      		high
                      ip-api.com
                      		208.95.112.1
                      		truefalse
                        		high
                        pki-goog.l.google.com
                        		142.250.185.163
                        		truefalse
                          		high
                          c.pki.goog
                          		unknown
                          		unknownfalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://ip-api.com/line/?fields=hostingfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://github.com/mgravell/protobuf-netVoaY6Clwfh.exe, 00000002.00000002.1338831614.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003F28000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003FA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://github.com/mgravell/protobuf-netiVoaY6Clwfh.exe, 00000002.00000002.1338831614.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003F28000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003FA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://stackoverflow.com/q/14436606/23354VoaY6Clwfh.exe, 00000002.00000002.1310707607.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1338831614.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003F28000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003FA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://account.dyn.com/VoaY6Clwfh.exe, 00000002.00000002.1329151593.00000000041CD000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003F28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2526883031.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                      		high
                                      https://github.com/mgravell/protobuf-netJVoaY6Clwfh.exe, 00000002.00000002.1338831614.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003F28000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003FA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameVoaY6Clwfh.exe, 00000002.00000002.1310707607.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2529966193.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2529966193.00000000029A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://stackoverflow.com/q/11564914/23354;VoaY6Clwfh.exe, 00000002.00000002.1338831614.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003F28000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003FA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://stackoverflow.com/q/2152978/23354VoaY6Clwfh.exe, 00000002.00000002.1338831614.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003F28000.00000004.00000800.00020000.00000000.sdmp, VoaY6Clwfh.exe, 00000002.00000002.1329151593.0000000003FA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://ip-api.comMSBuild.exe, 00000006.00000002.2529966193.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2529966193.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2529966193.00000000029BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                208.95.112.1
                                                		ip-api.comUnited States
                                                		53334TUT-ASUSfalse

                                                General Information

                                                Joe Sandbox version:42.0.0 Malachite
                                                Analysis ID:1632199
                                                Start date and time:2025-03-07 20:49:51 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 7m 0s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:11
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:VoaY6Clwfh.exe
                                                renamed because original name is a hash value
                                                Original Sample Name:60a51d420d7d48fe4b9667fb893de3b168138632fbea1ae9267db2be4b607e14.exe
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@3/0@2/1
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HCA Information:
                                                • Successful, ratio: 93%
                                                • Number of executed functions: 310
                                                • Number of non-executed functions: 28
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                • Excluded IPs from analysis (whitelisted): 23.60.203.209, 23.199.214.10, 199.232.210.172
                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, e16604.f.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu-b-net.trafficmanager.net
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                No simulations

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                208.95.112.1TMAPF0DIuM.exeGet hashmaliciousAgentTeslaBrowse
                                                • ip-api.com/line/?fields=hosting
                                                file.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                • ip-api.com/json/?fields=225545
                                                1100000111110001112.vbsGet hashmaliciousAgentTeslaBrowse
                                                • ip-api.com/line/?fields=hosting
                                                hesaphareketi-06-03-2025 (20kb)pdf ____________________________________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                                • ip-api.com/line/?fields=hosting
                                                SecuriteInfo.com.FileRepMalware.27385.1483.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                • ip-api.com/json
                                                PO_87661_111010011112.Vbs.vbsGet hashmaliciousAgentTeslaBrowse
                                                • ip-api.com/line/?fields=hosting
                                                V1CCX70AZ8P70ADNI.exeGet hashmaliciousClipboard HijackerBrowse
                                                • ip-api.com/line/
                                                GQKWopXj7S.exeGet hashmaliciousAgentTeslaBrowse
                                                • ip-api.com/line/?fields=hosting
                                                1W2TnU01xb.exeGet hashmaliciousAgentTeslaBrowse
                                                • ip-api.com/line/?fields=hosting
                                                2PJ65Chy6v.exeGet hashmaliciousAgentTeslaBrowse
                                                • ip-api.com/line/?fields=hosting

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                ip-api.comTMAPF0DIuM.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                file.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                • 208.95.112.1
                                                1100000111110001112.vbsGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                hesaphareketi-06-03-2025 (20kb)pdf ____________________________________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                SecuriteInfo.com.FileRepMalware.27385.1483.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                • 208.95.112.1
                                                PO_87661_111010011112.Vbs.vbsGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                V1CCX70AZ8P70ADNI.exeGet hashmaliciousClipboard HijackerBrowse
                                                • 208.95.112.1
                                                GQKWopXj7S.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                1W2TnU01xb.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                2PJ65Chy6v.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                bg.microsoft.map.fastly.netletsVPN.exeGet hashmaliciousUnknownBrowse
                                                • 199.232.210.172
                                                letsVPN.exeGet hashmaliciousUnknownBrowse
                                                • 199.232.210.172
                                                NEW ORDER (PO. 2100002 (BT-INC).xlsGet hashmaliciousUnknownBrowse
                                                • 199.232.210.172
                                                Purchase Order.xla.xlsxGet hashmaliciousUnknownBrowse
                                                • 199.232.214.172
                                                Royal Mail Inland Claim Form V1.3.xlsmGet hashmaliciousUnknownBrowse
                                                • 199.232.210.172
                                                kDubrmi6B5.msiGet hashmaliciousMetastealerBrowse
                                                • 199.232.210.172
                                                Br6Dejo3eu.exeGet hashmaliciousLummaC StealerBrowse
                                                • 199.232.214.172
                                                Uy1xrVW6Fh.exeGet hashmaliciousXWormBrowse
                                                • 199.232.214.172
                                                Damage product 3.vbsGet hashmaliciousAsyncRAT, Batch Injector, VenomRATBrowse
                                                • 199.232.214.172
                                                a3mJZekUZC.exeGet hashmaliciousQuasarBrowse
                                                • 199.232.210.172
                                                pki-goog.l.google.comDHL - OVERDUE ACCOUNT LETTER- FINAL REMINDER - 1300711528.com.exeGet hashmaliciousUnknownBrowse
                                                • 142.250.185.99
                                                Br6Dejo3eu.exeGet hashmaliciousLummaC StealerBrowse
                                                • 172.217.23.99
                                                Uy1xrVW6Fh.exeGet hashmaliciousXWormBrowse
                                                • 216.58.206.67
                                                skf7iF4.batGet hashmaliciousUnknownBrowse
                                                • 172.217.16.131
                                                SecuriteInfo.com.Win32.RATX-gen.5196.22979.exeGet hashmaliciousXWormBrowse
                                                • 142.250.185.67
                                                SecuriteInfo.com.Win32.RATX-gen.12965.16390.exeGet hashmaliciousXWormBrowse
                                                • 172.217.18.3
                                                https://aircarecolorado.com/locations/van-locations/?tab=jl_magic_tabs_m_th_current_week_gix1Get hashmaliciousUnknownBrowse
                                                • 142.250.186.163
                                                https://aircarecolorado.com/locations/van-locations?tab=jl_magic_tabs_m_th_current_week_gix1Get hashmaliciousUnknownBrowse
                                                • 142.250.184.195
                                                https://aircarecolorado.com/locations/van-locations?tab=jl_magic_tabs_m_th_current_week_gix1Get hashmaliciousUnknownBrowse
                                                • 142.250.186.35
                                                https://docs.google.com/presentation/d/e/2PACX-1vSP5XcPJ2CxZRi_aMWj1ncI-XfY7WDBREj5DcuUNYZ0utEzQihTwp_09fWq2KETAmkKt8NC3E04vQkm/pub?start=false&loop=false&delayms=3000#slide=id.pGet hashmaliciousHTMLPhisher, Invisible JSBrowse
                                                • 142.250.181.227

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                TUT-ASUSTMAPF0DIuM.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                file.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                • 208.95.112.1
                                                1100000111110001112.vbsGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                hesaphareketi-06-03-2025 (20kb)pdf ____________________________________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                SecuriteInfo.com.FileRepMalware.27385.1483.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                • 208.95.112.1
                                                PO_87661_111010011112.Vbs.vbsGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                V1CCX70AZ8P70ADNI.exeGet hashmaliciousClipboard HijackerBrowse
                                                • 208.95.112.1
                                                GQKWopXj7S.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                1W2TnU01xb.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                2PJ65Chy6v.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                No created / dropped files found

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):1.1461564965843973
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.81%
                                                • Windows Screen Saver (13104/52) 0.13%
                                                • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                File name:VoaY6Clwfh.exe
                                                File size:63'963'136 bytes
                                                MD5:c7fecb5f0eaaeb4b308fa53e27b6fac8
                                                SHA1:dc48cf73cec4ac6e71c23c577b81cdf4683c7a7c
                                                SHA256:60a51d420d7d48fe4b9667fb893de3b168138632fbea1ae9267db2be4b607e14
                                                SHA512:99f497729bd5ba2fd72f823d110631a146b941977b5215d11a5f477285088b37b4a8a8b447447a688f0931168a7c22e943815fcf43e275f6917deb72c7db860d
                                                SSDEEP:98304:1HXCMbQ5DzQJN2Cc+mk9AgfhRdqxoyxDR6rKUsmv:xyMbQ5DHd+XS29Fv
                                                TLSH:67E76B4177E88E26E5BF0375A03191146BF6F9972322DA4A308C72AA1F637009F5777B
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:..g.................\s..........zs.. ....s...@.. ....................... t...........`................................

                                                File Icon

                                                Icon Hash:d08c8e8ea2868a54

                                                Static PE Info

                                                General

                                                Entrypoint:0xb37aee
                                                Entrypoint Section:.text
                                                Digitally signed:true
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x67B88F3A [Fri Feb 21 14:35:38 2025 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:v4.0.30319
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Authenticode Signature

                                                Signature Valid:
                                                Signature Issuer:
                                                Signature Validation Error:
                                                Error Number:
                                                Not Before, Not After
                                                  Subject Chain
                                                    Version:
                                                    Thumbprint MD5:
                                                    Thumbprint SHA-1:
                                                    Thumbprint SHA-256:
                                                    Serial:

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x737a980x53.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x7380000x7dbe.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x73de000x2860
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x7400000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000x735af40x735c00c7ccea4ad6dd516ff4944bf5fab0b946unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x7380000x7dbe0x7e001fb849f167489bc8f5e4a4891440b042False0.34489707341269843data5.884811118142812IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x7400000xc0x200cef50dcbc6bbdfe92b10467ecbf82f88False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_ICON0x7383400x668Device independent bitmap graphic, 48 x 96 x 4, image size 00.21890243902439024
                                                    RT_ICON0x7389a80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 00.3400537634408602
                                                    RT_ICON0x738c900x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 00.35450819672131145
                                                    RT_ICON0x738e780x128Device independent bitmap graphic, 16 x 32 x 4, image size 00.46283783783783783
                                                    RT_ICON0x738fa00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.5026652452025586
                                                    RT_ICON0x739e480x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.5798736462093863
                                                    RT_ICON0x73a6f00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 00.40264976958525345
                                                    RT_ICON0x73adb80x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.3273121387283237
                                                    RT_ICON0x73b3200x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.27344398340248965
                                                    RT_ICON0x73d8c80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.37875234521575984
                                                    RT_ICON0x73e9700x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.37868852459016394
                                                    RT_ICON0x73f2f80x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.4796099290780142
                                                    RT_GROUP_ICON0x73f7600xaedata0.5977011494252874
                                                    RT_VERSION0x73f8100x3c2data0.41476091476091476
                                                    RT_MANIFEST0x73fbd40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Version Infos

                                                    DescriptionData
                                                    Translation0x0000 0x04b0
                                                    CommentsJava Platform SE binary
                                                    CompanyNameOracle Corporation
                                                    FileDescriptionJava Platform SE binary
                                                    FileVersion8.0.4410.7
                                                    InternalNameVmaatinyfkd.exe
                                                    LegalCopyrightCopyright 2025
                                                    LegalTrademarks
                                                    OriginalFilenameVmaatinyfkd.exe
                                                    ProductNameJava Platform SE 8 U441
                                                    ProductVersion8.0.4410.7
                                                    Assembly Version8.0.4410.7

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Mar 7, 2025 20:50:47.863274097 CET49672443192.168.2.6204.79.197.203
                                                    Mar 7, 2025 20:50:51.910883904 CET49678443192.168.2.620.42.65.91
                                                    Mar 7, 2025 20:50:52.222608089 CET49678443192.168.2.620.42.65.91
                                                    Mar 7, 2025 20:50:52.691366911 CET49672443192.168.2.6204.79.197.203
                                                    Mar 7, 2025 20:50:52.831984043 CET49678443192.168.2.620.42.65.91
                                                    Mar 7, 2025 20:50:54.035171032 CET49678443192.168.2.620.42.65.91
                                                    Mar 7, 2025 20:50:55.921653986 CET4968780192.168.2.6208.95.112.1
                                                    Mar 7, 2025 20:50:55.926808119 CET8049687208.95.112.1192.168.2.6
                                                    Mar 7, 2025 20:50:55.926879883 CET4968780192.168.2.6208.95.112.1
                                                    Mar 7, 2025 20:50:55.930630922 CET4968780192.168.2.6208.95.112.1
                                                    Mar 7, 2025 20:50:55.936038017 CET8049687208.95.112.1192.168.2.6
                                                    Mar 7, 2025 20:50:56.420620918 CET8049687208.95.112.1192.168.2.6
                                                    Mar 7, 2025 20:50:56.441375971 CET49678443192.168.2.620.42.65.91
                                                    Mar 7, 2025 20:50:56.472606897 CET4968780192.168.2.6208.95.112.1
                                                    Mar 7, 2025 20:51:01.253875971 CET49678443192.168.2.620.42.65.91
                                                    Mar 7, 2025 20:51:02.312412977 CET49672443192.168.2.6204.79.197.203
                                                    Mar 7, 2025 20:51:10.863286018 CET49678443192.168.2.620.42.65.91
                                                    Mar 7, 2025 20:51:31.887856007 CET4968980192.168.2.6142.250.185.163
                                                    Mar 7, 2025 20:51:31.892891884 CET8049689142.250.185.163192.168.2.6
                                                    Mar 7, 2025 20:51:31.892981052 CET4968980192.168.2.6142.250.185.163
                                                    Mar 7, 2025 20:51:31.893069983 CET4968980192.168.2.6142.250.185.163
                                                    Mar 7, 2025 20:51:31.898215055 CET8049689142.250.185.163192.168.2.6
                                                    Mar 7, 2025 20:51:32.524960041 CET8049689142.250.185.163192.168.2.6
                                                    Mar 7, 2025 20:51:32.532588005 CET4968980192.168.2.6142.250.185.163
                                                    Mar 7, 2025 20:51:32.537672997 CET8049689142.250.185.163192.168.2.6
                                                    Mar 7, 2025 20:51:32.715718031 CET8049689142.250.185.163192.168.2.6
                                                    Mar 7, 2025 20:51:32.769633055 CET4968980192.168.2.6142.250.185.163
                                                    Mar 7, 2025 20:51:50.368467093 CET8049687208.95.112.1192.168.2.6
                                                    Mar 7, 2025 20:51:50.368704081 CET4968780192.168.2.6208.95.112.1
                                                    Mar 7, 2025 20:52:02.070493937 CET443496802.23.227.215192.168.2.6
                                                    Mar 7, 2025 20:52:02.070631981 CET49680443192.168.2.62.23.227.215
                                                    Mar 7, 2025 20:52:02.070655107 CET443496802.23.227.215192.168.2.6
                                                    Mar 7, 2025 20:52:02.070714951 CET49680443192.168.2.62.23.227.215
                                                    Mar 7, 2025 20:52:32.941622972 CET4968980192.168.2.6142.250.185.163
                                                    Mar 7, 2025 20:52:32.947947979 CET8049689142.250.185.163192.168.2.6
                                                    Mar 7, 2025 20:52:32.948025942 CET4968980192.168.2.6142.250.185.163
                                                    Mar 7, 2025 20:52:36.473635912 CET4968780192.168.2.6208.95.112.1
                                                    Mar 7, 2025 20:52:36.478768110 CET8049687208.95.112.1192.168.2.6

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Mar 7, 2025 20:50:55.907069921 CET6411453192.168.2.61.1.1.1
                                                    Mar 7, 2025 20:50:55.915482998 CET53641141.1.1.1192.168.2.6
                                                    Mar 7, 2025 20:51:31.879610062 CET5570253192.168.2.61.1.1.1
                                                    Mar 7, 2025 20:51:31.887079000 CET53557021.1.1.1192.168.2.6

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Mar 7, 2025 20:50:55.907069921 CET192.168.2.61.1.1.10x2d3dStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                    Mar 7, 2025 20:51:31.879610062 CET192.168.2.61.1.1.10xa3aaStandard query (0)c.pki.googA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Mar 7, 2025 20:50:55.915482998 CET1.1.1.1192.168.2.60x2d3dNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                    Mar 7, 2025 20:51:31.383327007 CET1.1.1.1192.168.2.60xc2fcNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                    Mar 7, 2025 20:51:31.383327007 CET1.1.1.1192.168.2.60xc2fcNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                    Mar 7, 2025 20:51:31.887079000 CET1.1.1.1192.168.2.60xa3aaNo error (0)c.pki.googpki-goog.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                    Mar 7, 2025 20:51:31.887079000 CET1.1.1.1192.168.2.60xa3aaNo error (0)pki-goog.l.google.com142.250.185.163A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • ip-api.com
                                                    • c.pki.goog

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.649687208.95.112.1807756C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                    TimestampBytes transferredDirectionData
                                                    Mar 7, 2025 20:50:55.930630922 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                    Host: ip-api.com
                                                    Connection: Keep-Alive
                                                    Mar 7, 2025 20:50:56.420620918 CET175INHTTP/1.1 200 OK
                                                    Date: Fri, 07 Mar 2025 19:50:55 GMT
                                                    Content-Type: text/plain; charset=utf-8
                                                    Content-Length: 6
                                                    Access-Control-Allow-Origin: *
                                                    X-Ttl: 60
                                                    X-Rl: 44
                                                    Data Raw: 66 61 6c 73 65 0a
                                                    Data Ascii: false


                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                    1192.168.2.649689142.250.185.16380
                                                    TimestampBytes transferredDirectionData
                                                    Mar 7, 2025 20:51:31.893069983 CET202OUTGET /r/gsr1.crl HTTP/1.1
                                                    Cache-Control: max-age = 3000
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMT
                                                    User-Agent: Microsoft-CryptoAPI/10.0
                                                    Host: c.pki.goog
                                                    Mar 7, 2025 20:51:32.524960041 CET223INHTTP/1.1 304 Not Modified
                                                    Date: Fri, 07 Mar 2025 19:19:15 GMT
                                                    Expires: Fri, 07 Mar 2025 20:09:15 GMT
                                                    Age: 1937
                                                    Last-Modified: Tue, 07 Jan 2025 07:28:00 GMT
                                                    Cache-Control: public, max-age=3000
                                                    Vary: Accept-Encoding
                                                    Mar 7, 2025 20:51:32.532588005 CET200OUTGET /r/r4.crl HTTP/1.1
                                                    Cache-Control: max-age = 3000
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
                                                    User-Agent: Microsoft-CryptoAPI/10.0
                                                    Host: c.pki.goog
                                                    Mar 7, 2025 20:51:32.715718031 CET223INHTTP/1.1 304 Not Modified
                                                    Date: Fri, 07 Mar 2025 19:19:17 GMT
                                                    Expires: Fri, 07 Mar 2025 20:09:17 GMT
                                                    Age: 1935
                                                    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
                                                    Cache-Control: public, max-age=3000
                                                    Vary: Accept-Encoding


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:2
                                                    Start time:14:50:51
                                                    Start date:07/03/2025
                                                    Path:C:\Users\user\Desktop\VoaY6Clwfh.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\VoaY6Clwfh.exe"
                                                    Imagebase:0x480000
                                                    File size:63'963'136 bytes
                                                    MD5 hash:C7FECB5F0EAAEB4B308FA53E27B6FAC8
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1329151593.00000000041CD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1329151593.00000000041CD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000002.00000002.1338141352.0000000005A40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1329151593.0000000003F28000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1329151593.0000000003F28000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000002.00000002.1310707607.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:6
                                                    Start time:14:50:54
                                                    Start date:07/03/2025
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                    Imagebase:0x4f0000
                                                    File size:262'432 bytes
                                                    MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2529966193.0000000002915000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2526883031.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2526883031.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:high
                                                    Has exited:false

                                                    Disassembly

                                                    Reset < >