Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
uolmaTGkHh.exe

Overview

General Information

Sample name:uolmaTGkHh.exe
renamed because original name is a hash value
Original sample name:e36062ec168d0419711c6b6a4acdf3a79ade9e5a28c1b62ce45c68f22735f025.exe
Analysis ID:1632201
MD5:d6e15801658f82bb5cebf9ddfb0ceba0
SHA1:6e9f2674fe7593cdde2561fdf847349f41290d1a
SHA256:e36062ec168d0419711c6b6a4acdf3a79ade9e5a28c1b62ce45c68f22735f025
Tags:AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • uolmaTGkHh.exe (PID: 6420 cmdline: "C:\Users\user\Desktop\uolmaTGkHh.exe" MD5: D6E15801658F82BB5CEBF9DDFB0CEBA0)
    • MSBuild.exe (PID: 6536 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.chinaplasticsac.com", "Username": "fileme@chinaplasticsac.com", "Password": "8ZBcRV7dC~bT            "}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.2161121086.0000000000802000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000001.00000002.2161121086.0000000000802000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.942312480.0000000005F60000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000000.00000002.937794730.0000000004759000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.937794730.0000000004759000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.uolmaTGkHh.exe.5f60000.7.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              0.2.uolmaTGkHh.exe.5f60000.7.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                1.2.MSBuild.exe.800000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.uolmaTGkHh.exe.476e828.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    0.2.uolmaTGkHh.exe.476e828.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 6 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Silenttrinity Stager Msbuild Activity
                      Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 208.95.112.1, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 6536, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49683

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: uolmaTGkHh.exeAvira: detected
                      Found malware configuration
                      Source: 0.2.uolmaTGkHh.exe.476e828.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.chinaplasticsac.com", "Username": "fileme@chinaplasticsac.com", "Password": "8ZBcRV7dC~bT "}
                      Multi AV Scanner detection for submitted file
                      Source: uolmaTGkHh.exeVirustotal: Detection: 63%Perma Link
                      Source: uolmaTGkHh.exeReversingLabs: Detection: 57%
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.8% probability
                      Source: uolmaTGkHh.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: uolmaTGkHh.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: uolmaTGkHh.exe, 00000000.00000002.944240515.0000000006690000.00000004.08000000.00040000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.000000000466A000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.00000000046E2000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: uolmaTGkHh.exe, 00000000.00000002.944240515.0000000006690000.00000004.08000000.00040000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.000000000466A000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.00000000046E2000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: uolmaTGkHh.exe, 00000000.00000002.942785106.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.000000000454A000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.00000000044D2000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: uolmaTGkHh.exe, 00000000.00000002.942785106.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.000000000454A000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.00000000044D2000.00000004.00000800.00020000.00000000.sdmp
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_059B0780
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_059B0774
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 4x nop then jmp 05DDDD11h0_2_05DDDCFA
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 4x nop then jmp 05DDEDD0h0_2_05DDED77
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 4x nop then jmp 05DDEDD0h0_2_05DDEC98
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 4x nop then jmp 05DDEDD0h0_2_05DDEC89
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h0_2_061A5D60
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h0_2_061A5D58
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: unknownDNS query: name: ip-api.com
                      Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
                      Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
                      Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.199.215.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 2.18.98.62
                      Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
                      Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
                      Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.18.21.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.18.21.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.18.21.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.18.21.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
                      Source: global trafficHTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: global trafficDNS traffic detected: DNS query: c.pki.goog
                      Source: uolmaTGkHh.exeString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                      Source: uolmaTGkHh.exeString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
                      Source: uolmaTGkHh.exeString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
                      Source: uolmaTGkHh.exeString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                      Source: uolmaTGkHh.exeString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                      Source: uolmaTGkHh.exe, 00000000.00000002.921530343.00000000016E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.mic=
                      Source: MSBuild.exe, 00000001.00000002.2165009454.0000000002811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2165009454.00000000028C8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2165009454.00000000028E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                      Source: uolmaTGkHh.exe, 00000000.00000002.937794730.00000000044D2000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.0000000004759000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2161121086.0000000000802000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2165009454.0000000002811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2165009454.00000000028C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                      Source: MSBuild.exe, 00000001.00000002.2163050550.0000000000ABE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hostinge
                      Source: uolmaTGkHh.exeString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                      Source: uolmaTGkHh.exeString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                      Source: uolmaTGkHh.exeString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
                      Source: uolmaTGkHh.exeString found in binary or memory: http://ocsp.globalsign.com/rootr30;
                      Source: uolmaTGkHh.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                      Source: uolmaTGkHh.exe, 00000000.00000002.924966672.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2165009454.0000000002811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2165009454.00000000028C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: uolmaTGkHh.exeString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                      Source: uolmaTGkHh.exeString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
                      Source: uolmaTGkHh.exeString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                      Source: uolmaTGkHh.exeString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
                      Source: uolmaTGkHh.exe, 00000000.00000002.937794730.00000000044D2000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.0000000004759000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2161121086.0000000000802000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: uolmaTGkHh.exe, 00000000.00000002.942785106.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.000000000454A000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.00000000044D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                      Source: uolmaTGkHh.exe, 00000000.00000002.942785106.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.000000000454A000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.00000000044D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                      Source: uolmaTGkHh.exe, 00000000.00000002.942785106.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.000000000454A000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.00000000044D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                      Source: uolmaTGkHh.exe, 00000000.00000002.942785106.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.000000000454A000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.00000000044D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                      Source: uolmaTGkHh.exe, 00000000.00000002.942785106.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.000000000454A000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.00000000044D2000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.924966672.00000000034C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                      Source: uolmaTGkHh.exe, 00000000.00000002.942785106.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.000000000454A000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.00000000044D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                      Source: uolmaTGkHh.exeString found in binary or memory: https://www.globalsign.com/repository/0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 0.2.uolmaTGkHh.exe.476e828.3.raw.unpack, cPKWk.cs.Net Code: _00D8VK

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 0.2.uolmaTGkHh.exe.476e828.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 1.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.uolmaTGkHh.exe.476e828.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_018C1A860_2_018C1A86
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_018C539C0_2_018C539C
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_018C53BD0_2_018C53BD
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_018C52210_2_018C5221
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_018C55B60_2_018C55B6
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_018C55340_2_018C5534
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_018C548F0_2_018C548F
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_018C2CF30_2_018C2CF3
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_018C276A0_2_018C276A
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_018C27780_2_018C2778
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_018C56220_2_018C5622
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_059B5C080_2_059B5C08
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_059B81B00_2_059B81B0
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_059B9B230_2_059B9B23
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_059B1FF80_2_059B1FF8
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_059B1FE80_2_059B1FE8
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_059BE0D80_2_059BE0D8
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_059B5BF80_2_059B5BF8
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_05D205E00_2_05D205E0
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_05D219980_2_05D21998
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_05D205D10_2_05D205D1
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_05D219910_2_05D21991
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_05D219410_2_05D21941
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_05D2854F0_2_05D2854F
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_05D2F3D80_2_05D2F3D8
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_05D27E980_2_05D27E98
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_05D27E890_2_05D27E89
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_05D2F6300_2_05D2F630
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_05DD9FF80_2_05DD9FF8
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_05DE6E180_2_05DE6E18
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_05DE4CB80_2_05DE4CB8
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_05DE04480_2_05DE0448
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_05DE04200_2_05DE0420
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_05DE6E080_2_05DE6E08
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_05DE19100_2_05DE1910
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_05DE19020_2_05DE1902
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_060403DB0_2_060403DB
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_0604DA500_2_0604DA50
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_06049AE10_2_06049AE1
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_0604A7080_2_0604A708
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_0604A7180_2_0604A718
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_060477400_2_06047740
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_060477500_2_06047750
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_0604640D0_2_0604640D
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_060400060_2_06040006
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_0604F0480_2_0604F048
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_0604DD770_2_0604DD77
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_061A33E00_2_061A33E0
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_061A9AB80_2_061A9AB8
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_061AA8E80_2_061AA8E8
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_061A54210_2_061A5421
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_061A54800_2_061A5480
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_061A95680_2_061A9568
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_061D00060_2_061D0006
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_061D00400_2_061D0040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00DBA4C81_2_00DBA4C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00DBD9701_2_00DBD970
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00DB4AC01_2_00DB4AC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00DB3EA81_2_00DB3EA8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00DB41F01_2_00DB41F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_054514081_2_05451408
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_054536681_2_05453668
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_05453D501_2_05453D50
                      Source: uolmaTGkHh.exeStatic PE information: invalid certificate
                      Source: uolmaTGkHh.exeStatic PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
                      Source: uolmaTGkHh.exe, 00000000.00000002.944240515.0000000006690000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs uolmaTGkHh.exe
                      Source: uolmaTGkHh.exe, 00000000.00000002.942785106.0000000005FD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs uolmaTGkHh.exe
                      Source: uolmaTGkHh.exe, 00000000.00000002.937794730.000000000454A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs uolmaTGkHh.exe
                      Source: uolmaTGkHh.exe, 00000000.00000002.940332104.0000000005AF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUzpdtchkbj.dll" vs uolmaTGkHh.exe
                      Source: uolmaTGkHh.exe, 00000000.00000002.937794730.00000000044D2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs uolmaTGkHh.exe
                      Source: uolmaTGkHh.exe, 00000000.00000002.921530343.00000000016AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs uolmaTGkHh.exe
                      Source: uolmaTGkHh.exe, 00000000.00000002.937794730.0000000004759000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2ef0ab37-7f3e-4594-af6b-a038ff0febc5.exe4 vs uolmaTGkHh.exe
                      Source: uolmaTGkHh.exe, 00000000.00000002.937794730.000000000466A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs uolmaTGkHh.exe
                      Source: uolmaTGkHh.exe, 00000000.00000002.937794730.00000000046E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs uolmaTGkHh.exe
                      Source: uolmaTGkHh.exe, 00000000.00000000.906130505.0000000001072000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFalsesgwcej.exeD vs uolmaTGkHh.exe
                      Source: uolmaTGkHh.exe, 00000000.00000002.924966672.00000000035D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2ef0ab37-7f3e-4594-af6b-a038ff0febc5.exe4 vs uolmaTGkHh.exe
                      Source: uolmaTGkHh.exe, 00000000.00000002.924966672.00000000034C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs uolmaTGkHh.exe
                      Source: uolmaTGkHh.exeBinary or memory string: OriginalFilenameFalsesgwcej.exeD vs uolmaTGkHh.exe
                      Source: uolmaTGkHh.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: 0.2.uolmaTGkHh.exe.476e828.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 1.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.uolmaTGkHh.exe.476e828.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.uolmaTGkHh.exe.476e828.3.raw.unpack, cPs8D.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.uolmaTGkHh.exe.476e828.3.raw.unpack, 72CF8egH.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.uolmaTGkHh.exe.476e828.3.raw.unpack, G5CXsdn.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.uolmaTGkHh.exe.476e828.3.raw.unpack, 3uPsILA6U.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.uolmaTGkHh.exe.476e828.3.raw.unpack, 6oQOw74dfIt.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.uolmaTGkHh.exe.476e828.3.raw.unpack, aMIWm.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                      Source: 0.2.uolmaTGkHh.exe.476e828.3.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.uolmaTGkHh.exe.476e828.3.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/0@2/1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                      Source: uolmaTGkHh.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: uolmaTGkHh.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: MSBuild.exe, 00000001.00000002.2165009454.0000000002902000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2165009454.0000000002915000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: uolmaTGkHh.exeVirustotal: Detection: 63%
                      Source: uolmaTGkHh.exeReversingLabs: Detection: 57%
                      Source: uolmaTGkHh.exeString found in binary or memory: .PrimaryKey(+, cascadeDelete: true-addForeignKeyOperation
                      Source: uolmaTGkHh.exeString found in binary or memory: new[] { -addPrimaryKeyOperation
                      Source: uolmaTGkHh.exeString found in binary or memory: The object state cannot be changed. This exception may result from one or more of the primary key properties being set to null. Non-Added objects cannot have null primary key values. See inner exception for details.
                      Source: uolmaTGkHh.exeString found in binary or memory: Could not load assembly '{0}'. (If you are using Code First Migrations inside Visual Studio this can happen if the startUp project for your solution does not reference the project that contains your migrations. You can either change the startUp project for your solution or use the -StartUpProjectName parameter.)
                      Source: unknownProcess created: C:\Users\user\Desktop\uolmaTGkHh.exe "C:\Users\user\Desktop\uolmaTGkHh.exe"
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wtsapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: uolmaTGkHh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: uolmaTGkHh.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: uolmaTGkHh.exeStatic file information: File size 10696840 > 1048576
                      Source: uolmaTGkHh.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0xa27800
                      Source: uolmaTGkHh.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: uolmaTGkHh.exe, 00000000.00000002.944240515.0000000006690000.00000004.08000000.00040000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.000000000466A000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.00000000046E2000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: uolmaTGkHh.exe, 00000000.00000002.944240515.0000000006690000.00000004.08000000.00040000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.000000000466A000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.00000000046E2000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: uolmaTGkHh.exe, 00000000.00000002.942785106.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.000000000454A000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.00000000044D2000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: uolmaTGkHh.exe, 00000000.00000002.942785106.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.000000000454A000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.00000000044D2000.00000004.00000800.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: 0.2.uolmaTGkHh.exe.454a510.4.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                      Source: 0.2.uolmaTGkHh.exe.454a510.4.raw.unpack, ListDecorator.cs.Net Code: Read
                      Source: 0.2.uolmaTGkHh.exe.454a510.4.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                      Source: 0.2.uolmaTGkHh.exe.454a510.4.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                      Source: 0.2.uolmaTGkHh.exe.454a510.4.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                      Yara detected Costura Assembly Loader
                      Source: Yara matchFile source: 0.2.uolmaTGkHh.exe.5f60000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.uolmaTGkHh.exe.5f60000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.942312480.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.924966672.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: uolmaTGkHh.exe PID: 6420, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_059D5189 pushad ; iretd 0_2_059D5A39
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_059D51A8 pushad ; iretd 0_2_059D5A39
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_05D2C359 push cs; ret 0_2_05D2C35C
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_05DD0007 push esp; retf 0_2_05DD0031
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_05DD3AD7 push ebx; retf 0_2_05DD3ADA
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_05DE449D pushfd ; retf 0_2_05DE449E
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_06043467 push ebp; retf 0_2_06043469
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_06043460 push ebp; retf 0_2_06043461
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_060431BF push cs; iretd 0_2_060431C7
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_0604D1C0 push es; ret 0_2_0604D270
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_061A264C push es; retf 0_2_061A2658
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_061D6908 push eax; retf 0_2_061D690D
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: uolmaTGkHh.exe PID: 6420, type: MEMORYSTR
                      Check if machine is in data center or colocation facility
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: uolmaTGkHh.exe, 00000000.00000002.937794730.00000000044D2000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.0000000004759000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.924966672.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2161121086.0000000000802000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2165009454.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2165009454.0000000002845000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeMemory allocated: 18C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeMemory allocated: 34C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeMemory allocated: 3220000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: DB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2810000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2620000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: MSBuild.exe, 00000001.00000002.2165009454.0000000002845000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                      Source: MSBuild.exe, 00000001.00000002.2165009454.0000000002845000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                      Source: uolmaTGkHh.exe, 00000000.00000002.924966672.00000000034C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q 1:en-CH:Microsoft|VMWare|Virtual
                      Source: uolmaTGkHh.exe, 00000000.00000002.924966672.00000000034C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                      Source: uolmaTGkHh.exe, 00000000.00000002.924966672.00000000034C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q 1:en-CH:VMware|VIRTUAL|A M I|Xen
                      Source: uolmaTGkHh.exe, 00000000.00000002.924966672.00000000034C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                      Source: MSBuild.exe, 00000001.00000002.2161121086.0000000000802000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBox
                      Source: MSBuild.exe, 00000001.00000002.2167921829.0000000005356000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeCode function: 0_2_061A5D60 CheckRemoteDebuggerPresent,0_2_061A5D60
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeQueries volume information: C:\Users\user\Desktop\uolmaTGkHh.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\uolmaTGkHh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: 0.2.uolmaTGkHh.exe.476e828.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.uolmaTGkHh.exe.476e828.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.2161121086.0000000000802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.937794730.0000000004759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.937794730.00000000044D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: uolmaTGkHh.exe PID: 6420, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6536, type: MEMORYSTR
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 1.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.uolmaTGkHh.exe.476e828.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.uolmaTGkHh.exe.476e828.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.2161121086.0000000000802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.937794730.0000000004759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.937794730.00000000044D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.2165009454.0000000002845000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: uolmaTGkHh.exe PID: 6420, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6536, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: 0.2.uolmaTGkHh.exe.476e828.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.uolmaTGkHh.exe.476e828.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.2161121086.0000000000802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.937794730.0000000004759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.937794730.00000000044D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: uolmaTGkHh.exe PID: 6420, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6536, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		11
                      Process Injection                      		24
                      Virtualization/Sandbox Evasion                      		1
                      OS Credential Dumping                      		531
                      Security Software Discovery                      		Remote Services1
                      Email Collection                      		12
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts2
                      Command and Scripting Interpreter                      		Boot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		1
                      Input Capture                      		24
                      Virtualization/Sandbox Evasion                      		Remote Desktop Protocol1
                      Input Capture                      		1
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                      Process Injection                      		Security Account Manager1
                      Process Discovery                      		SMB/Windows Admin Shares11
                      Archive Collected Data                      		2
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Deobfuscate/Decode Files or Information                      		NTDS1
                      System Network Configuration Discovery                      		Distributed Component Object Model1
                      Data from Local System                      		3
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                      Obfuscated Files or Information                      		LSA Secrets1
                      File and Directory Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Software Packing                      		Cached Domain Credentials34
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      DLL Side-Loading                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      uolmaTGkHh.exe63%VirustotalBrowse
                      uolmaTGkHh.exe58%ReversingLabsByteCode-MSIL.Trojan.Injuke
                      uolmaTGkHh.exe100%AviraTR/AVI.Agent.zbsbg

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://go.mic=0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      bg.microsoft.map.fastly.net
                      		199.232.214.172
                      		truefalse
                        		high
                        ip-api.com
                        		208.95.112.1
                        		truefalse
                          		high
                          pki-goog.l.google.com
                          		142.250.186.67
                          		truefalse
                            		high
                            c.pki.goog
                            		unknown
                            		unknownfalse
                              		high

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://ip-api.com/line/?fields=hostingfalse
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://github.com/mgravell/protobuf-netuolmaTGkHh.exe, 00000000.00000002.942785106.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.000000000454A000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.00000000044D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://go.mic=uolmaTGkHh.exe, 00000000.00000002.921530343.00000000016E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://ip-api.com/line/?fields=hostingeMSBuild.exe, 00000001.00000002.2163050550.0000000000ABE000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://github.com/mgravell/protobuf-netiuolmaTGkHh.exe, 00000000.00000002.942785106.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.000000000454A000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.00000000044D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://stackoverflow.com/q/14436606/23354uolmaTGkHh.exe, 00000000.00000002.942785106.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.000000000454A000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.00000000044D2000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.924966672.00000000034C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://account.dyn.com/uolmaTGkHh.exe, 00000000.00000002.937794730.00000000044D2000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.0000000004759000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2161121086.0000000000802000.00000040.00000400.00020000.00000000.sdmpfalse
                                          		high
                                          https://github.com/mgravell/protobuf-netJuolmaTGkHh.exe, 00000000.00000002.942785106.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.000000000454A000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.00000000044D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameuolmaTGkHh.exe, 00000000.00000002.924966672.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2165009454.0000000002811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2165009454.00000000028C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://stackoverflow.com/q/11564914/23354;uolmaTGkHh.exe, 00000000.00000002.942785106.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.000000000454A000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.00000000044D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://stackoverflow.com/q/2152978/23354uolmaTGkHh.exe, 00000000.00000002.942785106.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.000000000454A000.00000004.00000800.00020000.00000000.sdmp, uolmaTGkHh.exe, 00000000.00000002.937794730.00000000044D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://ip-api.comMSBuild.exe, 00000001.00000002.2165009454.0000000002811000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2165009454.00000000028C8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2165009454.00000000028E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    208.95.112.1
                                                    		ip-api.comUnited States
                                                    		53334TUT-ASUSfalse

                                                    General Information

                                                    Joe Sandbox version:42.0.0 Malachite
                                                    Analysis ID:1632201
                                                    Start date and time:2025-03-07 20:50:09 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 6m 49s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:11
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:uolmaTGkHh.exe
                                                    renamed because original name is a hash value
                                                    Original Sample Name:e36062ec168d0419711c6b6a4acdf3a79ade9e5a28c1b62ce45c68f22735f025.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@3/0@2/1
                                                    EGA Information:
                                                    • Successful, ratio: 100%
                                                    HCA Information:
                                                    • Successful, ratio: 95%
                                                    • Number of executed functions: 375
                                                    • Number of non-executed functions: 68
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                    • Excluded IPs from analysis (whitelisted): 23.199.214.10, 199.232.214.172
                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, e16604.f.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu-b-net.trafficmanager.net
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    No simulations

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    208.95.112.1TMAPF0DIuM.exeGet hashmaliciousAgentTeslaBrowse
                                                    • ip-api.com/line/?fields=hosting
                                                    file.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                    • ip-api.com/json/?fields=225545
                                                    1100000111110001112.vbsGet hashmaliciousAgentTeslaBrowse
                                                    • ip-api.com/line/?fields=hosting
                                                    hesaphareketi-06-03-2025 (20kb)pdf ____________________________________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                                    • ip-api.com/line/?fields=hosting
                                                    SecuriteInfo.com.FileRepMalware.27385.1483.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                    • ip-api.com/json
                                                    PO_87661_111010011112.Vbs.vbsGet hashmaliciousAgentTeslaBrowse
                                                    • ip-api.com/line/?fields=hosting
                                                    V1CCX70AZ8P70ADNI.exeGet hashmaliciousClipboard HijackerBrowse
                                                    • ip-api.com/line/
                                                    GQKWopXj7S.exeGet hashmaliciousAgentTeslaBrowse
                                                    • ip-api.com/line/?fields=hosting
                                                    1W2TnU01xb.exeGet hashmaliciousAgentTeslaBrowse
                                                    • ip-api.com/line/?fields=hosting
                                                    2PJ65Chy6v.exeGet hashmaliciousAgentTeslaBrowse
                                                    • ip-api.com/line/?fields=hosting

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    pki-goog.l.google.comDHL - OVERDUE ACCOUNT LETTER- FINAL REMINDER - 1300711528.com.exeGet hashmaliciousUnknownBrowse
                                                    • 142.250.185.99
                                                    Br6Dejo3eu.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 172.217.23.99
                                                    Uy1xrVW6Fh.exeGet hashmaliciousXWormBrowse
                                                    • 216.58.206.67
                                                    skf7iF4.batGet hashmaliciousUnknownBrowse
                                                    • 172.217.16.131
                                                    SecuriteInfo.com.Win32.RATX-gen.5196.22979.exeGet hashmaliciousXWormBrowse
                                                    • 142.250.185.67
                                                    SecuriteInfo.com.Win32.RATX-gen.12965.16390.exeGet hashmaliciousXWormBrowse
                                                    • 172.217.18.3
                                                    https://aircarecolorado.com/locations/van-locations/?tab=jl_magic_tabs_m_th_current_week_gix1Get hashmaliciousUnknownBrowse
                                                    • 142.250.186.163
                                                    https://aircarecolorado.com/locations/van-locations?tab=jl_magic_tabs_m_th_current_week_gix1Get hashmaliciousUnknownBrowse
                                                    • 142.250.184.195
                                                    https://aircarecolorado.com/locations/van-locations?tab=jl_magic_tabs_m_th_current_week_gix1Get hashmaliciousUnknownBrowse
                                                    • 142.250.186.35
                                                    https://docs.google.com/presentation/d/e/2PACX-1vSP5XcPJ2CxZRi_aMWj1ncI-XfY7WDBREj5DcuUNYZ0utEzQihTwp_09fWq2KETAmkKt8NC3E04vQkm/pub?start=false&loop=false&delayms=3000#slide=id.pGet hashmaliciousHTMLPhisher, Invisible JSBrowse
                                                    • 142.250.181.227
                                                    ip-api.comTMAPF0DIuM.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 208.95.112.1
                                                    file.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                    • 208.95.112.1
                                                    1100000111110001112.vbsGet hashmaliciousAgentTeslaBrowse
                                                    • 208.95.112.1
                                                    hesaphareketi-06-03-2025 (20kb)pdf ____________________________________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 208.95.112.1
                                                    SecuriteInfo.com.FileRepMalware.27385.1483.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                    • 208.95.112.1
                                                    PO_87661_111010011112.Vbs.vbsGet hashmaliciousAgentTeslaBrowse
                                                    • 208.95.112.1
                                                    V1CCX70AZ8P70ADNI.exeGet hashmaliciousClipboard HijackerBrowse
                                                    • 208.95.112.1
                                                    GQKWopXj7S.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 208.95.112.1
                                                    1W2TnU01xb.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 208.95.112.1
                                                    2PJ65Chy6v.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 208.95.112.1
                                                    bg.microsoft.map.fastly.netletsVPN.exeGet hashmaliciousUnknownBrowse
                                                    • 199.232.210.172
                                                    letsVPN.exeGet hashmaliciousUnknownBrowse
                                                    • 199.232.210.172
                                                    NEW ORDER (PO. 2100002 (BT-INC).xlsGet hashmaliciousUnknownBrowse
                                                    • 199.232.210.172
                                                    Purchase Order.xla.xlsxGet hashmaliciousUnknownBrowse
                                                    • 199.232.214.172
                                                    Royal Mail Inland Claim Form V1.3.xlsmGet hashmaliciousUnknownBrowse
                                                    • 199.232.210.172
                                                    kDubrmi6B5.msiGet hashmaliciousMetastealerBrowse
                                                    • 199.232.210.172
                                                    Br6Dejo3eu.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 199.232.214.172
                                                    Uy1xrVW6Fh.exeGet hashmaliciousXWormBrowse
                                                    • 199.232.214.172
                                                    Damage product 3.vbsGet hashmaliciousAsyncRAT, Batch Injector, VenomRATBrowse
                                                    • 199.232.214.172
                                                    a3mJZekUZC.exeGet hashmaliciousQuasarBrowse
                                                    • 199.232.210.172

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    TUT-ASUSTMAPF0DIuM.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 208.95.112.1
                                                    file.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                    • 208.95.112.1
                                                    1100000111110001112.vbsGet hashmaliciousAgentTeslaBrowse
                                                    • 208.95.112.1
                                                    hesaphareketi-06-03-2025 (20kb)pdf ____________________________________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 208.95.112.1
                                                    SecuriteInfo.com.FileRepMalware.27385.1483.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                    • 208.95.112.1
                                                    PO_87661_111010011112.Vbs.vbsGet hashmaliciousAgentTeslaBrowse
                                                    • 208.95.112.1
                                                    V1CCX70AZ8P70ADNI.exeGet hashmaliciousClipboard HijackerBrowse
                                                    • 208.95.112.1
                                                    GQKWopXj7S.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 208.95.112.1
                                                    1W2TnU01xb.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 208.95.112.1
                                                    2PJ65Chy6v.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 208.95.112.1

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    No created / dropped files found

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):6.076105212894836
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                    • Win32 Executable (generic) a (10002005/4) 49.93%
                                                    • Windows Screen Saver (13104/52) 0.07%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    • DOS Executable Generic (2002/1) 0.01%
                                                    File name:uolmaTGkHh.exe
                                                    File size:10'696'840 bytes
                                                    MD5:d6e15801658f82bb5cebf9ddfb0ceba0
                                                    SHA1:6e9f2674fe7593cdde2561fdf847349f41290d1a
                                                    SHA256:e36062ec168d0419711c6b6a4acdf3a79ade9e5a28c1b62ce45c68f22735f025
                                                    SHA512:a6866627a05bbd771ee936801f41bb2e8545ce6a4690c683b554bc894d65eb4903607c4be1498b7a23893d94b505bf5a57000e17fda5800d54f185a1fbc07f4b
                                                    SSDEEP:98304:Vx5QoVFQ6Q3qkeJuJ5sg4hkq3W2ciE8iAfscF:Vx5QsO6sME5sg4hfE8NfscF
                                                    TLSH:AEB6D60FBEC6CBB1E35D1776C9AA050413B4E9C36323D62A398E2B6A1F137B94941717
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................x............... ........@.. .......................`............`................................

                                                    File Icon

                                                    Icon Hash:d0cce8b2d2cea2d2

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0xe2972e
                                                    Entrypoint Section:.text
                                                    Digitally signed:true
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x67B8DC97 [Fri Feb 21 20:05:43 2025 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:v4.0.30319
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Authenticode Signature

                                                    Signature Valid:false
                                                    Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                                    Signature Validation Error:The digital signature of the object did not verify
                                                    Error Number:-2146869232
                                                    Not Before, Not After
                                                    • 10/10/2023 09:35:44 18/12/2026 17:17:34
                                                    Subject Chain
                                                    • CN=Vivaldi Technologies AS, O=Vivaldi Technologies AS, STREET=M\xf8lleparken 6, L=Oslo, S=Oslo, C=NO, OID.1.3.6.1.4.1.311.60.2.1.3=NO, SERIALNUMBER=912 309 975, OID.2.5.4.15=Private Organization
                                                    Version:3
                                                    Thumbprint MD5:8E075E67B57EDAB05DE2ED5632BA0C6F
                                                    Thumbprint SHA-1:F7A524AD45E585F8B71E6204B2583714151A08EF
                                                    Thumbprint SHA-256:94BACA5F849BD741FFF1A7F30B4480CBC4541321D3A543551AEA97B7D5DC72B1
                                                    Serial:0E6194E2779D531F896950FF

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xa296e00x4b.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xa2a0000x8c48.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0xa30a000x2e88
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xa340000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000xa277340xa278006d98eab7b3c83530188641c58f269e91unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rsrc0xa2a0000x8c480x8e000a6331bc220f70301fc878afb8082cb5False0.5601892605633803data6.246820774322129IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0xa340000xc0x2004caaa4fe0308f6952414ea2c080d6472False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_ICON0xa2a1c00x528Device independent bitmap graphic, 16 x 32 x 32, image size 12800.4303030303030303
                                                    RT_ICON0xa2a6e80x1428Device independent bitmap graphic, 32 x 64 x 32, image size 51200.23992248062015503
                                                    RT_ICON0xa2bb100x2d28Device independent bitmap graphic, 48 x 96 x 32, image size 115200.15242214532871973
                                                    RT_ICON0xa2e8380x3de4PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9856728098964908
                                                    RT_GROUP_ICON0xa3261c0x3edata0.7903225806451613
                                                    RT_VERSION0xa3265c0x400MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"0.3984375
                                                    RT_MANIFEST0xa32a5c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Version Infos

                                                    DescriptionData
                                                    Translation0x0000 0x04b0
                                                    CommentsVivaldi Installer
                                                    CompanyNameVivaldi Technologies AS
                                                    FileDescriptionVivaldi Installer
                                                    FileVersion7.1.3570.47
                                                    InternalNameFalsesgwcej.exe
                                                    LegalCopyrightCopyright 2025 Vivaldi Technologies AS. All rights reserved.
                                                    LegalTrademarks
                                                    OriginalFilenameFalsesgwcej.exe
                                                    ProductNameVivaldi Installer
                                                    ProductVersion7.1.3570.47
                                                    Assembly Version7.1.3570.47

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Mar 7, 2025 20:51:01.964323044 CET49673443192.168.2.72.23.227.208
                                                    Mar 7, 2025 20:51:01.964323044 CET49675443192.168.2.72.23.227.208
                                                    Mar 7, 2025 20:51:01.967158079 CET49674443192.168.2.72.23.227.208
                                                    Mar 7, 2025 20:51:06.714345932 CET4967680192.168.2.723.199.215.203
                                                    Mar 7, 2025 20:51:06.714381933 CET49677443192.168.2.72.18.98.62
                                                    Mar 7, 2025 20:51:08.887900114 CET4968380192.168.2.7208.95.112.1
                                                    Mar 7, 2025 20:51:08.893027067 CET8049683208.95.112.1192.168.2.7
                                                    Mar 7, 2025 20:51:08.893121958 CET4968380192.168.2.7208.95.112.1
                                                    Mar 7, 2025 20:51:08.894191980 CET4968380192.168.2.7208.95.112.1
                                                    Mar 7, 2025 20:51:08.899163961 CET8049683208.95.112.1192.168.2.7
                                                    Mar 7, 2025 20:51:09.385636091 CET8049683208.95.112.1192.168.2.7
                                                    Mar 7, 2025 20:51:09.434070110 CET4968380192.168.2.7208.95.112.1
                                                    Mar 7, 2025 20:51:11.573684931 CET49674443192.168.2.72.23.227.208
                                                    Mar 7, 2025 20:51:11.573685884 CET49673443192.168.2.72.23.227.208
                                                    Mar 7, 2025 20:51:11.573769093 CET49675443192.168.2.72.23.227.208
                                                    Mar 7, 2025 20:51:33.949076891 CET49671443192.168.2.7204.79.197.203
                                                    Mar 7, 2025 20:51:34.261240959 CET49671443192.168.2.7204.79.197.203
                                                    Mar 7, 2025 20:51:34.870577097 CET49671443192.168.2.7204.79.197.203
                                                    Mar 7, 2025 20:51:36.073837996 CET49671443192.168.2.7204.79.197.203
                                                    Mar 7, 2025 20:51:38.479979992 CET49671443192.168.2.7204.79.197.203
                                                    Mar 7, 2025 20:51:42.527345896 CET49678443192.168.2.720.189.173.15
                                                    Mar 7, 2025 20:51:42.826710939 CET49678443192.168.2.720.189.173.15
                                                    Mar 7, 2025 20:51:43.292516947 CET49671443192.168.2.7204.79.197.203
                                                    Mar 7, 2025 20:51:43.433085918 CET49678443192.168.2.720.189.173.15
                                                    Mar 7, 2025 20:51:44.636220932 CET49678443192.168.2.720.189.173.15
                                                    Mar 7, 2025 20:51:44.979846954 CET4969080192.168.2.7142.250.186.67
                                                    Mar 7, 2025 20:51:44.984906912 CET8049690142.250.186.67192.168.2.7
                                                    Mar 7, 2025 20:51:44.985001087 CET4969080192.168.2.7142.250.186.67
                                                    Mar 7, 2025 20:51:44.985559940 CET4969080192.168.2.7142.250.186.67
                                                    Mar 7, 2025 20:51:44.990609884 CET8049690142.250.186.67192.168.2.7
                                                    Mar 7, 2025 20:51:45.640197039 CET8049690142.250.186.67192.168.2.7
                                                    Mar 7, 2025 20:51:45.645868063 CET4969080192.168.2.7142.250.186.67
                                                    Mar 7, 2025 20:51:45.651736975 CET8049690142.250.186.67192.168.2.7
                                                    Mar 7, 2025 20:51:45.833847046 CET8049690142.250.186.67192.168.2.7
                                                    Mar 7, 2025 20:51:45.886212111 CET4969080192.168.2.7142.250.186.67
                                                    Mar 7, 2025 20:51:47.042531013 CET49678443192.168.2.720.189.173.15
                                                    Mar 7, 2025 20:51:47.152137041 CET4968180192.168.2.7104.18.21.226
                                                    Mar 7, 2025 20:51:47.152335882 CET4968280192.168.2.7104.18.21.226
                                                    Mar 7, 2025 20:51:47.304447889 CET8049681104.18.21.226192.168.2.7
                                                    Mar 7, 2025 20:51:47.304466009 CET8049682104.18.21.226192.168.2.7
                                                    Mar 7, 2025 20:51:47.304507971 CET4968180192.168.2.7104.18.21.226
                                                    Mar 7, 2025 20:51:47.304541111 CET4968280192.168.2.7104.18.21.226
                                                    Mar 7, 2025 20:51:51.410234928 CET8049683208.95.112.1192.168.2.7
                                                    Mar 7, 2025 20:51:51.410355091 CET4968380192.168.2.7208.95.112.1
                                                    Mar 7, 2025 20:51:51.854991913 CET49678443192.168.2.720.189.173.15
                                                    Mar 7, 2025 20:51:52.901819944 CET49671443192.168.2.7204.79.197.203
                                                    Mar 7, 2025 20:52:01.464471102 CET49678443192.168.2.720.189.173.15
                                                    Mar 7, 2025 20:52:45.933434963 CET4969080192.168.2.7142.250.186.67
                                                    Mar 7, 2025 20:52:45.938918114 CET8049690142.250.186.67192.168.2.7
                                                    Mar 7, 2025 20:52:45.939029932 CET4969080192.168.2.7142.250.186.67
                                                    Mar 7, 2025 20:52:49.388350010 CET4968380192.168.2.7208.95.112.1
                                                    Mar 7, 2025 20:52:49.393750906 CET8049683208.95.112.1192.168.2.7

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Mar 7, 2025 20:51:08.873590946 CET5987153192.168.2.71.1.1.1
                                                    Mar 7, 2025 20:51:08.881918907 CET53598711.1.1.1192.168.2.7
                                                    Mar 7, 2025 20:51:44.971540928 CET5316453192.168.2.71.1.1.1
                                                    Mar 7, 2025 20:51:44.979202032 CET53531641.1.1.1192.168.2.7

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Mar 7, 2025 20:51:08.873590946 CET192.168.2.71.1.1.10x5e7eStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                    Mar 7, 2025 20:51:44.971540928 CET192.168.2.71.1.1.10xbf12Standard query (0)c.pki.googA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Mar 7, 2025 20:51:08.881918907 CET1.1.1.1192.168.2.70x5e7eNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                    Mar 7, 2025 20:51:44.493936062 CET1.1.1.1192.168.2.70xd0fbNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                    Mar 7, 2025 20:51:44.493936062 CET1.1.1.1192.168.2.70xd0fbNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                    Mar 7, 2025 20:51:44.979202032 CET1.1.1.1192.168.2.70xbf12No error (0)c.pki.googpki-goog.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                    Mar 7, 2025 20:51:44.979202032 CET1.1.1.1192.168.2.70xbf12No error (0)pki-goog.l.google.com142.250.186.67A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • ip-api.com
                                                    • c.pki.goog

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.749683208.95.112.1806536C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                    TimestampBytes transferredDirectionData
                                                    Mar 7, 2025 20:51:08.894191980 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                    Host: ip-api.com
                                                    Connection: Keep-Alive
                                                    Mar 7, 2025 20:51:09.385636091 CET175INHTTP/1.1 200 OK
                                                    Date: Fri, 07 Mar 2025 19:51:08 GMT
                                                    Content-Type: text/plain; charset=utf-8
                                                    Content-Length: 6
                                                    Access-Control-Allow-Origin: *
                                                    X-Ttl: 47
                                                    X-Rl: 43
                                                    Data Raw: 66 61 6c 73 65 0a
                                                    Data Ascii: false


                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                    1192.168.2.749690142.250.186.6780
                                                    TimestampBytes transferredDirectionData
                                                    Mar 7, 2025 20:51:44.985559940 CET202OUTGET /r/gsr1.crl HTTP/1.1
                                                    Cache-Control: max-age = 3000
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMT
                                                    User-Agent: Microsoft-CryptoAPI/10.0
                                                    Host: c.pki.goog
                                                    Mar 7, 2025 20:51:45.640197039 CET223INHTTP/1.1 304 Not Modified
                                                    Date: Fri, 07 Mar 2025 19:10:47 GMT
                                                    Expires: Fri, 07 Mar 2025 20:00:47 GMT
                                                    Age: 2458
                                                    Last-Modified: Tue, 07 Jan 2025 07:28:00 GMT
                                                    Cache-Control: public, max-age=3000
                                                    Vary: Accept-Encoding
                                                    Mar 7, 2025 20:51:45.645868063 CET200OUTGET /r/r4.crl HTTP/1.1
                                                    Cache-Control: max-age = 3000
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
                                                    User-Agent: Microsoft-CryptoAPI/10.0
                                                    Host: c.pki.goog
                                                    Mar 7, 2025 20:51:45.833847046 CET223INHTTP/1.1 304 Not Modified
                                                    Date: Fri, 07 Mar 2025 19:10:47 GMT
                                                    Expires: Fri, 07 Mar 2025 20:00:47 GMT
                                                    Age: 2458
                                                    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
                                                    Cache-Control: public, max-age=3000
                                                    Vary: Accept-Encoding


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:14:51:05
                                                    Start date:07/03/2025
                                                    Path:C:\Users\user\Desktop\uolmaTGkHh.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\uolmaTGkHh.exe"
                                                    Imagebase:0x670000
                                                    File size:10'696'840 bytes
                                                    MD5 hash:D6E15801658F82BB5CEBF9DDFB0CEBA0
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.942312480.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.937794730.0000000004759000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.937794730.0000000004759000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.937794730.00000000044D2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.937794730.00000000044D2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.924966672.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:1
                                                    Start time:14:51:06
                                                    Start date:07/03/2025
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                    Imagebase:0x3f0000
                                                    File size:262'432 bytes
                                                    MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2161121086.0000000000802000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2161121086.0000000000802000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2165009454.0000000002845000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:high
                                                    Has exited:false

                                                    Disassembly

                                                    Reset < >