Edit tour

Windows Analysis Report
eiQXaKJ75nCjEWn.exe

Overview

General Information

Sample name:	eiQXaKJ75nCjEWn.exe
Analysis ID:	1436310
MD5:	3fee7d5c6b2adb59a462e7f51004c8ec
SHA1:	a541bfc296bf972506fb4400f0199edc39b144ee
SHA256:	268c36f27645590a64c285888fa50d84b06183a27f4c92d598f269790286253a
Tags:	exe
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: MSBuild connects to smtp port

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

eiQXaKJ75nCjEWn.exe (PID: 1660 cmdline: "C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe" MD5: 3FEE7D5C6B2ADB59A462E7F51004C8EC)

MSBuild.exe (PID: 7228 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 7240 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 7252 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 7260 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.pu.edu.af", "Username": "saif.rohi@pu.edu.af", "Password": "Ro#@.com55"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.2460001262.0000000002E18000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1256118946.0000000005620000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.2460001262.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2457876950.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2457876950.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1254325811.0000000004A11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1254325811.0000000004A11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2460001262.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2460001262.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1254325811.00000000040F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1254325811.00000000040F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1251727408.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1251727408.000000000301E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: eiQXaKJ75nCjEWn.exe PID: 1660	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: eiQXaKJ75nCjEWn.exe PID: 1660	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: eiQXaKJ75nCjEWn.exe PID: 1660	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: MSBuild.exe PID: 7260	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 7260	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.eiQXaKJ75nCjEWn.exe.2e17440.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.eiQXaKJ75nCjEWn.exe.5620000.10.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.eiQXaKJ75nCjEWn.exe.2e067c8.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.eiQXaKJ75nCjEWn.exe.5620000.10.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.eiQXaKJ75nCjEWn.exe.2e067c8.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.eiQXaKJ75nCjEWn.exe.2e17440.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.MSBuild.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.MSBuild.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.MSBuild.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334b3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33525:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335af:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33641:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336ab:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3371d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337b3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33843:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.eiQXaKJ75nCjEWn.exe.2dd35a4.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316b3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31725:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317af:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31841:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318ab:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3191d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319b3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a43:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.eiQXaKJ75nCjEWn.exe.40f1da8.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.eiQXaKJ75nCjEWn.exe.40f1da8.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.eiQXaKJ75nCjEWn.exe.40f1da8.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316b3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31725:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317af:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31841:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318ab:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3191d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319b3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a43:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334b3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33525:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335af:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33641:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336ab:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3371d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337b3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33843:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.eiQXaKJ75nCjEWn.exe.3059560.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.eiQXaKJ75nCjEWn.exe.3058548.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.eiQXaKJ75nCjEWn.exe.305b578.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.eiQXaKJ75nCjEWn.exe.40f1da8.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.eiQXaKJ75nCjEWn.exe.40f1da8.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.eiQXaKJ75nCjEWn.exe.40f1da8.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.eiQXaKJ75nCjEWn.exe.40f1da8.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334b3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6ded3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33525:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df45:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335af:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6dfcf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33641:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e061:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336ab:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e0cb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3371d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e13d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337b3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e1d3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33843:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e263:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 22 entries

Sigma Signatures

Networking

Sigma detected: MSBuild connects to smtp port

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 103.132.98.224, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7260, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49706

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.pu.edu.af", "Username": "saif.rohi@pu.edu.af", "Password": "Ro#@.com55"}

Multi AV Scanner detection for submitted file

Source: eiQXaKJ75nCjEWn.exe	ReversingLabs: Detection: 52%
Source: eiQXaKJ75nCjEWn.exe	Virustotal: Detection: 48%			Perma Link

Machine Learning detection for sample

Source: eiQXaKJ75nCjEWn.exe

Joe Sandbox ML: detected

Source: eiQXaKJ75nCjEWn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 173.222.162.55:443 -> 192.168.2.10:49709 version: TLS 1.2

Source: eiQXaKJ75nCjEWn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe

Code function: 4x nop then jmp 05FDBD9Dh

0_2_05FDC1AB

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.40f1da8.8.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.10:49706 -> 103.132.98.224:587

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: global traffic

TCP traffic: 192.168.2.10:49706 -> 103.132.98.224:587

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: mail.pu.edu.af

Source: MSBuild.exe, 00000005.00000002.2460001262.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.pu.edu.af
Source: MSBuild.exe, 00000005.00000002.2458821017.0000000000FD6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2460001262.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2463257536.00000000060CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/03
Source: MSBuild.exe, 00000005.00000002.2458821017.0000000000FD6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2460001262.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2463257536.00000000060CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: MSBuild.exe, 00000005.00000002.2458821017.0000000000FD6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2460001262.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2463257536.00000000060CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: MSBuild.exe, 00000005.00000002.2458821017.0000000000FD6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2460001262.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2463257536.00000000060CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: eiQXaKJ75nCjEWn.exe, 00000000.00000002.1254325811.0000000004A11000.00000004.00000800.00020000.00000000.sdmp, eiQXaKJ75nCjEWn.exe, 00000000.00000002.1254325811.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2457876950.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709

Source: unknown

HTTPS traffic detected: 173.222.162.55:443 -> 192.168.2.10:49709 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.raw.unpack, lBLTBzkV.cs	.Net Code: h9f
Source: 0.2.eiQXaKJ75nCjEWn.exe.40f1da8.8.raw.unpack, lBLTBzkV.cs	.Net Code: h9f

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.eiQXaKJ75nCjEWn.exe.40f1da8.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.eiQXaKJ75nCjEWn.exe.40f1da8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Code function: 0_2_02D7EFC4	0_2_02D7EFC4
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Code function: 0_2_05FDDDE0	0_2_05FDDDE0
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Code function: 0_2_05FD2FB8	0_2_05FD2FB8
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Code function: 0_2_05FD94F8	0_2_05FD94F8
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Code function: 0_2_05FD7428	0_2_05FD7428
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Code function: 0_2_05FD7423	0_2_05FD7423
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Code function: 0_2_05FD90C0	0_2_05FD90C0
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Code function: 0_2_05FDDDD0	0_2_05FDDDD0
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Code function: 0_2_05FD2FA8	0_2_05FD2FA8
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Code function: 0_2_05FD9EA8	0_2_05FD9EA8
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Code function: 0_2_05FD7860	0_2_05FD7860
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Code function: 0_2_05FD0BC0	0_2_05FD0BC0
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Code function: 0_2_05FD0BB0	0_2_05FD0BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01329370	5_2_01329370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01329BE8	5_2_01329BE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01324A98	5_2_01324A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0132CE70	5_2_0132CE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01323E80	5_2_01323E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_013241C8	5_2_013241C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_01329BE0	5_2_01329BE0

Source: eiQXaKJ75nCjEWn.exe, 00000000.00000002.1256651109.0000000006330000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs eiQXaKJ75nCjEWn.exe
Source: eiQXaKJ75nCjEWn.exe, 00000000.00000002.1255987424.00000000055D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dllD vs eiQXaKJ75nCjEWn.exe
Source: eiQXaKJ75nCjEWn.exe, 00000000.00000002.1251215999.000000000114E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs eiQXaKJ75nCjEWn.exe
Source: eiQXaKJ75nCjEWn.exe, 00000000.00000002.1251727408.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename0eb1f663-67ab-4af7-95d7-b04526baf746.exe4 vs eiQXaKJ75nCjEWn.exe
Source: eiQXaKJ75nCjEWn.exe, 00000000.00000002.1251727408.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dllD vs eiQXaKJ75nCjEWn.exe
Source: eiQXaKJ75nCjEWn.exe, 00000000.00000000.1209549596.0000000000B2A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelpPl.exe8 vs eiQXaKJ75nCjEWn.exe
Source: eiQXaKJ75nCjEWn.exe, 00000000.00000002.1254325811.00000000040F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename0eb1f663-67ab-4af7-95d7-b04526baf746.exe4 vs eiQXaKJ75nCjEWn.exe
Source: eiQXaKJ75nCjEWn.exe, 00000000.00000002.1254325811.00000000040F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs eiQXaKJ75nCjEWn.exe
Source: eiQXaKJ75nCjEWn.exe	Binary or memory string: OriginalFilenamelpPl.exe8 vs eiQXaKJ75nCjEWn.exe

Source: eiQXaKJ75nCjEWn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.eiQXaKJ75nCjEWn.exe.40f1da8.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.eiQXaKJ75nCjEWn.exe.40f1da8.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: eiQXaKJ75nCjEWn.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.raw.unpack, kGWv.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.raw.unpack, 84Zwl.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.raw.unpack, Z80kh.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.raw.unpack, R7VqEELv.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.raw.unpack, iWM.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.raw.unpack, tHB.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.raw.unpack, YGTyRx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.raw.unpack, YGTyRx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.raw.unpack, YGTyRx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.raw.unpack, YGTyRx.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.eiQXaKJ75nCjEWn.exe.6330000.11.raw.unpack, Dhu0Eh9wMH2k1sIkgU.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.eiQXaKJ75nCjEWn.exe.6330000.11.raw.unpack, wPgmWqMqnbCNwrUNZG.cs	Security API names: _0020.SetAccessControl
Source: 0.2.eiQXaKJ75nCjEWn.exe.6330000.11.raw.unpack, wPgmWqMqnbCNwrUNZG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.eiQXaKJ75nCjEWn.exe.6330000.11.raw.unpack, wPgmWqMqnbCNwrUNZG.cs	Security API names: _0020.AddAccessRule
Source: 0.2.eiQXaKJ75nCjEWn.exe.4195340.7.raw.unpack, Dhu0Eh9wMH2k1sIkgU.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.eiQXaKJ75nCjEWn.exe.4195340.7.raw.unpack, wPgmWqMqnbCNwrUNZG.cs	Security API names: _0020.SetAccessControl
Source: 0.2.eiQXaKJ75nCjEWn.exe.4195340.7.raw.unpack, wPgmWqMqnbCNwrUNZG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.eiQXaKJ75nCjEWn.exe.4195340.7.raw.unpack, wPgmWqMqnbCNwrUNZG.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winEXE@9/1@1/1

Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eiQXaKJ75nCjEWn.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Mutant created: \Sessions\1\BaseNamedObjects\OrNPjmzvKIpkAQwBkdxyfhDF

Source: eiQXaKJ75nCjEWn.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: eiQXaKJ75nCjEWn.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: eiQXaKJ75nCjEWn.exe	ReversingLabs: Detection: 52%
Source: eiQXaKJ75nCjEWn.exe	Virustotal: Detection: 48%

Source: unknown	Process created: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe "C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe"
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: eiQXaKJ75nCjEWn.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: eiQXaKJ75nCjEWn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.eiQXaKJ75nCjEWn.exe.5620000.10.raw.unpack, XG.cs	.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 0.2.eiQXaKJ75nCjEWn.exe.2e17440.2.raw.unpack, XG.cs	.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})

.NET source code contains potential unpacker

Source: 0.2.eiQXaKJ75nCjEWn.exe.6330000.11.raw.unpack, wPgmWqMqnbCNwrUNZG.cs	.Net Code: Y8aS1svGS3 System.Reflection.Assembly.Load(byte[])
Source: 0.2.eiQXaKJ75nCjEWn.exe.4195340.7.raw.unpack, wPgmWqMqnbCNwrUNZG.cs	.Net Code: Y8aS1svGS3 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe

Code function: 0_2_05FD7418 push eax; iretd

0_2_05FD7421

Source: eiQXaKJ75nCjEWn.exe

Static PE information: section name: .text entropy: 7.9724800598562675

Source: 0.2.eiQXaKJ75nCjEWn.exe.6330000.11.raw.unpack, qDnCwZmwwk5CXau3IU.cs	High entropy of concatenated method names: 'JsgW2qyEji', 'JKoW4D2V94', 'B8JWdv9cHX', 'KB2WKH8SrD', 'RnnWeJ05kD', 'wDjW0efr27', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.eiQXaKJ75nCjEWn.exe.6330000.11.raw.unpack, wPgmWqMqnbCNwrUNZG.cs	High entropy of concatenated method names: 'vNHRJ3VP1g', 'f2XRkboEpC', 'WnkR8DvHxb', 'tsKRiq6eet', 'EoJR6j8cZv', 'nJDRrvPZIZ', 'bKHRZwy65M', 'ytVRMTn44K', 'A6GRXJiKbn', 'obRRc0mF4R'
Source: 0.2.eiQXaKJ75nCjEWn.exe.6330000.11.raw.unpack, Gpx49TbZyPj2rSfaGq.cs	High entropy of concatenated method names: 'lvIZkhbJeP', 'wvwZircpmf', 'IgIZrRkfCN', 'QCjrvDBXoK', 'OdYrzU1e4c', 'DMKZ7DdUyt', 'a97Zaawx7N', 'XLSZlhyqTV', 'P3BZR2xTXB', 'w77ZStuP3k'
Source: 0.2.eiQXaKJ75nCjEWn.exe.6330000.11.raw.unpack, GmY5cg4l0GFGyWnHMZ.cs	High entropy of concatenated method names: 'RAAjZ8sFBSSU6mTZIoC', 'peHjRDsAjrfU2VE3d4e', 'V5GrWKB6a5', 'nXYrOJhCYx', 'oL1rn3qU8B', 'GLv7sxs1H45nDNn3CMR', 'HldmlksBvLaTbWYnEw0'
Source: 0.2.eiQXaKJ75nCjEWn.exe.6330000.11.raw.unpack, c6dN6MEapJ6S6NyHED.cs	High entropy of concatenated method names: 'tp36tbUXFZ', 'cfl6CTI9HL', 'B4WidvOtvL', 'opDiKMFBTF', 'IHui07KcbO', 'e8oio0fdM0', 'fmqibMXMPX', 'ElWiQDkZHC', 'mtSiVOVfYL', 'tiXixGOdsn'
Source: 0.2.eiQXaKJ75nCjEWn.exe.6330000.11.raw.unpack, FjtX6QAbhgvgoAq3J2.cs	High entropy of concatenated method names: 'eK7WkKSNg8', 'BnDW8Sc0na', 'm7wWiPsfVD', 'ocGW6NCNLO', 'jwCWrt3cip', 'MNxWZM7qY0', 'WkaWMfDSvQ', 'AVBWXQy8sg', 'Hp7WcPnFwh', 'BAVWH2mAUS'
Source: 0.2.eiQXaKJ75nCjEWn.exe.6330000.11.raw.unpack, Dhu0Eh9wMH2k1sIkgU.cs	High entropy of concatenated method names: 'meg8en581P', 'KsE8N2v6uj', 'jMo8BYpIA0', 'EPh8G1Uocc', 'hZq8gAGT4D', 'aQU83qC08n', 'gum8ysDX5m', 'GnQ8Av1OBU', 'axr8mHdbBR', 'PU18v6l0K7'
Source: 0.2.eiQXaKJ75nCjEWn.exe.6330000.11.raw.unpack, XHnqtqaRGtwfMkrPxkr.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'rGLneVeiM7', 'EMgnNDSCWf', 'MDwnB4aPd9', 'bn4nGQolok', 'Rp0nggQ3dY', 'Kiun3t5Zuu', 'QAvnyFYuyf'
Source: 0.2.eiQXaKJ75nCjEWn.exe.6330000.11.raw.unpack, rPnV0i51K4A7vit08C.cs	High entropy of concatenated method names: 'cp7s926KGD', 'PegsUnyjXF', 'bVls2xjix0', 'Qu1s42bXJY', 'uGTsKcrIIq', 'KMCs0hbm7Z', 'NAwsbasD9r', 'SYasQq49BT', 'J6ssxloTT3', 'qpgsYVd98P'
Source: 0.2.eiQXaKJ75nCjEWn.exe.6330000.11.raw.unpack, VumYp58i5pFGA82i9r.cs	High entropy of concatenated method names: 'Dispose', 'drAamiVdGf', 'KAJl4fEXrN', 'IgWJJdkvOh', 'iEjavtX6Qb', 'ygvazgoAq3', 'ProcessDialogKey', 'e2Ll7DnCwZ', 'xwkla5CXau', 'VIUllqSlGo'
Source: 0.2.eiQXaKJ75nCjEWn.exe.6330000.11.raw.unpack, kfI8rR3hWYm2Z2Lf6i.cs	High entropy of concatenated method names: 'rPILAygBDo', 'kysLvNM5ic', 'O4tW7Px2Ah', 'JkYWa8OUYC', 'RlILYBqeys', 'KXFLD8OUio', 'x8FL5SNR9d', 'O9SLet2Jre', 'MiULN8cN0g', 'ioXLBDlJHt'
Source: 0.2.eiQXaKJ75nCjEWn.exe.6330000.11.raw.unpack, QpplLSeQ7jQp9Xcomu.cs	High entropy of concatenated method names: 'ligjxT0U0N', 'b8JjDehWic', 'ujRjeQisnE', 'CdyjNrFlDv', 'sDPj4ZVWKS', 'e5yjdbrqrM', 'N4TjKxGKnl', 'INyj08Z8TX', 'CAyjo0FK7F', 'Gurjb6vApm'
Source: 0.2.eiQXaKJ75nCjEWn.exe.6330000.11.raw.unpack, VJrXt4SQQiCCqYHlFQ.cs	High entropy of concatenated method names: 'sX9aZhu0Eh', 'xMHaM2k1sI', 'vTwacg5Yww', 'Hy5aHCR6dN', 'RyHajEDS8q', 'B2KaTo9KXX', 'YOpfU8WnTuqYEpvuLV', 'xnl8u4Yb02ot9dKrnb', 'QhTaa4xQKE', 'gASaR0ZVpi'
Source: 0.2.eiQXaKJ75nCjEWn.exe.6330000.11.raw.unpack, gQoXauUTwg5Ywwdy5C.cs	High entropy of concatenated method names: 'aRuiIJiZq9', 'c3riPlEDdb', 'xWLi905JCb', 'z49iUFgqNm', 'yjlijkvcQk', 'awAiThYUgB', 'MdriLQMrbS', 'zVViWJqIeN', 'SfNiO8EZuk', 'lpninQQAY5'
Source: 0.2.eiQXaKJ75nCjEWn.exe.6330000.11.raw.unpack, o3R9O2zvp9mUFDyVnC.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HRIOsvmI24', 'RYvOjc98cd', 'irSOT8mse7', 'aykOLhbLHq', 'JJyOWZsKDh', 'hKlOOn7QtU', 'DNMOnt8QM4'
Source: 0.2.eiQXaKJ75nCjEWn.exe.6330000.11.raw.unpack, P4EHaClHThcWo3JECp.cs	High entropy of concatenated method names: 'iJX1UXaYR', 'Q0yIHbktt', 'NWdPU09Ob', 'Pb7CFDX20', 'D52UrLCRA', 'tmQE0TlE5', 'CNpcrnvGALe5Xusjl6', 'gQAyuhn8VpeAogX4OA', 'fFsW4mhBd', 'O5xnBmj4d'
Source: 0.2.eiQXaKJ75nCjEWn.exe.6330000.11.raw.unpack, UEMvL3a7fTu1ujCGJxw.cs	High entropy of concatenated method names: 'gtOOwGi7Xv', 'YNwOhBKu5x', 'cmqO1gVB1q', 'xTfOIFHy5t', 'AkNOtchB8w', 'iFEOP8uvUv', 'k2EOCt1TQX', 'es5O94vsh2', 'II2OUGKJPb', 'xBDOEaQEBf'
Source: 0.2.eiQXaKJ75nCjEWn.exe.6330000.11.raw.unpack, e8qt2K2o9KXXIhxxuy.cs	High entropy of concatenated method names: 'vgDrJJSZIK', 'nuLr8ZT5ae', 'xgOr6XkVbw', 'xSdrZ8NLfc', 'Pd9rMosjqS', 'De86g50ku6', 'Kpr63TO7fn', 'hXS6yLyN8y', 'Mbw6Aj7v7e', 'D436mYFFug'
Source: 0.2.eiQXaKJ75nCjEWn.exe.6330000.11.raw.unpack, NUIgOvVHLp2Av3SaQn.cs	High entropy of concatenated method names: 'ATuZwsAXVA', 'TXeZhvuu1a', 'U8EZ1jTPoo', 'fVIZIp297D', 'hr6ZtJ63ss', 'EmPZPYYx0w', 'ew8ZCuIAOG', 'mlMZ9ecCF1', 'E9ZZU060My', 'ma5ZEC7wm1'
Source: 0.2.eiQXaKJ75nCjEWn.exe.6330000.11.raw.unpack, N1nd4yijy5oIUUflYP.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fHmlmVSJpd', 'OvGlvI8w8M', 'tDrlzoAlYC', 'ri5R7xWCtC', 'qLoRaQuIHU', 'q2iRlRM7A5', 'K49RRP0mCI', 'TdpIB3gXyxMZ5vf7VZG'
Source: 0.2.eiQXaKJ75nCjEWn.exe.6330000.11.raw.unpack, uSlGo0vGJZHRuiW8Cq.cs	High entropy of concatenated method names: 'PBQOaPUopI', 'nUKORblqqn', 'dmPOSaxmiN', 'yrgOkMxEAc', 'y7yO8ibiYf', 'xTHO6hS2Wn', 'UKDOroIqky', 'fjZWyqbT8r', 'FirWA6SihC', 'VdJWmjheVb'
Source: 0.2.eiQXaKJ75nCjEWn.exe.5620000.10.raw.unpack, XG.cs	High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.eiQXaKJ75nCjEWn.exe.2e17440.2.raw.unpack, XG.cs	High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.eiQXaKJ75nCjEWn.exe.4195340.7.raw.unpack, qDnCwZmwwk5CXau3IU.cs	High entropy of concatenated method names: 'JsgW2qyEji', 'JKoW4D2V94', 'B8JWdv9cHX', 'KB2WKH8SrD', 'RnnWeJ05kD', 'wDjW0efr27', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.eiQXaKJ75nCjEWn.exe.4195340.7.raw.unpack, wPgmWqMqnbCNwrUNZG.cs	High entropy of concatenated method names: 'vNHRJ3VP1g', 'f2XRkboEpC', 'WnkR8DvHxb', 'tsKRiq6eet', 'EoJR6j8cZv', 'nJDRrvPZIZ', 'bKHRZwy65M', 'ytVRMTn44K', 'A6GRXJiKbn', 'obRRc0mF4R'
Source: 0.2.eiQXaKJ75nCjEWn.exe.4195340.7.raw.unpack, Gpx49TbZyPj2rSfaGq.cs	High entropy of concatenated method names: 'lvIZkhbJeP', 'wvwZircpmf', 'IgIZrRkfCN', 'QCjrvDBXoK', 'OdYrzU1e4c', 'DMKZ7DdUyt', 'a97Zaawx7N', 'XLSZlhyqTV', 'P3BZR2xTXB', 'w77ZStuP3k'
Source: 0.2.eiQXaKJ75nCjEWn.exe.4195340.7.raw.unpack, GmY5cg4l0GFGyWnHMZ.cs	High entropy of concatenated method names: 'RAAjZ8sFBSSU6mTZIoC', 'peHjRDsAjrfU2VE3d4e', 'V5GrWKB6a5', 'nXYrOJhCYx', 'oL1rn3qU8B', 'GLv7sxs1H45nDNn3CMR', 'HldmlksBvLaTbWYnEw0'
Source: 0.2.eiQXaKJ75nCjEWn.exe.4195340.7.raw.unpack, c6dN6MEapJ6S6NyHED.cs	High entropy of concatenated method names: 'tp36tbUXFZ', 'cfl6CTI9HL', 'B4WidvOtvL', 'opDiKMFBTF', 'IHui07KcbO', 'e8oio0fdM0', 'fmqibMXMPX', 'ElWiQDkZHC', 'mtSiVOVfYL', 'tiXixGOdsn'
Source: 0.2.eiQXaKJ75nCjEWn.exe.4195340.7.raw.unpack, FjtX6QAbhgvgoAq3J2.cs	High entropy of concatenated method names: 'eK7WkKSNg8', 'BnDW8Sc0na', 'm7wWiPsfVD', 'ocGW6NCNLO', 'jwCWrt3cip', 'MNxWZM7qY0', 'WkaWMfDSvQ', 'AVBWXQy8sg', 'Hp7WcPnFwh', 'BAVWH2mAUS'
Source: 0.2.eiQXaKJ75nCjEWn.exe.4195340.7.raw.unpack, Dhu0Eh9wMH2k1sIkgU.cs	High entropy of concatenated method names: 'meg8en581P', 'KsE8N2v6uj', 'jMo8BYpIA0', 'EPh8G1Uocc', 'hZq8gAGT4D', 'aQU83qC08n', 'gum8ysDX5m', 'GnQ8Av1OBU', 'axr8mHdbBR', 'PU18v6l0K7'
Source: 0.2.eiQXaKJ75nCjEWn.exe.4195340.7.raw.unpack, XHnqtqaRGtwfMkrPxkr.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'rGLneVeiM7', 'EMgnNDSCWf', 'MDwnB4aPd9', 'bn4nGQolok', 'Rp0nggQ3dY', 'Kiun3t5Zuu', 'QAvnyFYuyf'
Source: 0.2.eiQXaKJ75nCjEWn.exe.4195340.7.raw.unpack, rPnV0i51K4A7vit08C.cs	High entropy of concatenated method names: 'cp7s926KGD', 'PegsUnyjXF', 'bVls2xjix0', 'Qu1s42bXJY', 'uGTsKcrIIq', 'KMCs0hbm7Z', 'NAwsbasD9r', 'SYasQq49BT', 'J6ssxloTT3', 'qpgsYVd98P'
Source: 0.2.eiQXaKJ75nCjEWn.exe.4195340.7.raw.unpack, VumYp58i5pFGA82i9r.cs	High entropy of concatenated method names: 'Dispose', 'drAamiVdGf', 'KAJl4fEXrN', 'IgWJJdkvOh', 'iEjavtX6Qb', 'ygvazgoAq3', 'ProcessDialogKey', 'e2Ll7DnCwZ', 'xwkla5CXau', 'VIUllqSlGo'
Source: 0.2.eiQXaKJ75nCjEWn.exe.4195340.7.raw.unpack, kfI8rR3hWYm2Z2Lf6i.cs	High entropy of concatenated method names: 'rPILAygBDo', 'kysLvNM5ic', 'O4tW7Px2Ah', 'JkYWa8OUYC', 'RlILYBqeys', 'KXFLD8OUio', 'x8FL5SNR9d', 'O9SLet2Jre', 'MiULN8cN0g', 'ioXLBDlJHt'
Source: 0.2.eiQXaKJ75nCjEWn.exe.4195340.7.raw.unpack, QpplLSeQ7jQp9Xcomu.cs	High entropy of concatenated method names: 'ligjxT0U0N', 'b8JjDehWic', 'ujRjeQisnE', 'CdyjNrFlDv', 'sDPj4ZVWKS', 'e5yjdbrqrM', 'N4TjKxGKnl', 'INyj08Z8TX', 'CAyjo0FK7F', 'Gurjb6vApm'
Source: 0.2.eiQXaKJ75nCjEWn.exe.4195340.7.raw.unpack, VJrXt4SQQiCCqYHlFQ.cs	High entropy of concatenated method names: 'sX9aZhu0Eh', 'xMHaM2k1sI', 'vTwacg5Yww', 'Hy5aHCR6dN', 'RyHajEDS8q', 'B2KaTo9KXX', 'YOpfU8WnTuqYEpvuLV', 'xnl8u4Yb02ot9dKrnb', 'QhTaa4xQKE', 'gASaR0ZVpi'
Source: 0.2.eiQXaKJ75nCjEWn.exe.4195340.7.raw.unpack, gQoXauUTwg5Ywwdy5C.cs	High entropy of concatenated method names: 'aRuiIJiZq9', 'c3riPlEDdb', 'xWLi905JCb', 'z49iUFgqNm', 'yjlijkvcQk', 'awAiThYUgB', 'MdriLQMrbS', 'zVViWJqIeN', 'SfNiO8EZuk', 'lpninQQAY5'
Source: 0.2.eiQXaKJ75nCjEWn.exe.4195340.7.raw.unpack, o3R9O2zvp9mUFDyVnC.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HRIOsvmI24', 'RYvOjc98cd', 'irSOT8mse7', 'aykOLhbLHq', 'JJyOWZsKDh', 'hKlOOn7QtU', 'DNMOnt8QM4'
Source: 0.2.eiQXaKJ75nCjEWn.exe.4195340.7.raw.unpack, P4EHaClHThcWo3JECp.cs	High entropy of concatenated method names: 'iJX1UXaYR', 'Q0yIHbktt', 'NWdPU09Ob', 'Pb7CFDX20', 'D52UrLCRA', 'tmQE0TlE5', 'CNpcrnvGALe5Xusjl6', 'gQAyuhn8VpeAogX4OA', 'fFsW4mhBd', 'O5xnBmj4d'
Source: 0.2.eiQXaKJ75nCjEWn.exe.4195340.7.raw.unpack, UEMvL3a7fTu1ujCGJxw.cs	High entropy of concatenated method names: 'gtOOwGi7Xv', 'YNwOhBKu5x', 'cmqO1gVB1q', 'xTfOIFHy5t', 'AkNOtchB8w', 'iFEOP8uvUv', 'k2EOCt1TQX', 'es5O94vsh2', 'II2OUGKJPb', 'xBDOEaQEBf'
Source: 0.2.eiQXaKJ75nCjEWn.exe.4195340.7.raw.unpack, e8qt2K2o9KXXIhxxuy.cs	High entropy of concatenated method names: 'vgDrJJSZIK', 'nuLr8ZT5ae', 'xgOr6XkVbw', 'xSdrZ8NLfc', 'Pd9rMosjqS', 'De86g50ku6', 'Kpr63TO7fn', 'hXS6yLyN8y', 'Mbw6Aj7v7e', 'D436mYFFug'
Source: 0.2.eiQXaKJ75nCjEWn.exe.4195340.7.raw.unpack, NUIgOvVHLp2Av3SaQn.cs	High entropy of concatenated method names: 'ATuZwsAXVA', 'TXeZhvuu1a', 'U8EZ1jTPoo', 'fVIZIp297D', 'hr6ZtJ63ss', 'EmPZPYYx0w', 'ew8ZCuIAOG', 'mlMZ9ecCF1', 'E9ZZU060My', 'ma5ZEC7wm1'
Source: 0.2.eiQXaKJ75nCjEWn.exe.4195340.7.raw.unpack, N1nd4yijy5oIUUflYP.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fHmlmVSJpd', 'OvGlvI8w8M', 'tDrlzoAlYC', 'ri5R7xWCtC', 'qLoRaQuIHU', 'q2iRlRM7A5', 'K49RRP0mCI', 'TdpIB3gXyxMZ5vf7VZG'
Source: 0.2.eiQXaKJ75nCjEWn.exe.4195340.7.raw.unpack, uSlGo0vGJZHRuiW8Cq.cs	High entropy of concatenated method names: 'PBQOaPUopI', 'nUKORblqqn', 'dmPOSaxmiN', 'yrgOkMxEAc', 'y7yO8ibiYf', 'xTHO6hS2Wn', 'UKDOroIqky', 'fjZWyqbT8r', 'FirWA6SihC', 'VdJWmjheVb'

Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: eiQXaKJ75nCjEWn.exe PID: 1660, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Memory allocated: 2C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Memory allocated: 4DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Memory allocated: 63B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Memory allocated: 73B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Memory allocated: 75F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Memory allocated: 85F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 12E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2B00000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 2840			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 6982			Jump to behavior

Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe TID: 4828	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7388	Thread sleep count: 2840 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7388	Thread sleep count: 6982 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -99657s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -99532s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -99407s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -99282s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -99172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -99063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -98938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -98813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -98688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -98563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -98342s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -98234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -98124s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -98016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -97891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -96403s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -96282s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -96156s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -96043s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -95930s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -95813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -95688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -95576s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -95410s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -95282s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -95157s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -95032s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -94907s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -94797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -94688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -94563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -94438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -94313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -94195s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -94078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -93969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -93860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -93735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -93610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -93485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -93360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -93248s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -93125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -93016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -92906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -92794s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7380	Thread sleep time: -92672s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98342	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 97891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 96403	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 96282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 96156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 96043	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 95930	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 95813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 95688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 95576	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 95410	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 95282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 95157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 95032	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 94907	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 94797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 94688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 94563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 94438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 94313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 94195	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 94078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 93969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 93860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 93735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 93610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 93485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 93360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 93248	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 93125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 93016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 92906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 92794	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 92672	Jump to behavior

Source: MSBuild.exe, 00000005.00000002.2463257536.00000000060CE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43C000	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43E000	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: C9F008	Jump to behavior

Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Queries volume information: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.40f1da8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.40f1da8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2460001262.0000000002E18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2460001262.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2457876950.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1254325811.0000000004A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2460001262.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1254325811.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eiQXaKJ75nCjEWn.exe PID: 1660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7260, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.2e17440.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.5620000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.2e067c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.5620000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.2e067c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.2e17440.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.2dd35a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.3059560.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.3058548.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.305b578.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1256118946.0000000005620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1251727408.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1251727408.000000000301E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.40f1da8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.40f1da8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2457876950.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1254325811.0000000004A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2460001262.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1254325811.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eiQXaKJ75nCjEWn.exe PID: 1660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7260, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.40f1da8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.412c7c8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.40f1da8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2460001262.0000000002E18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2460001262.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2457876950.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1254325811.0000000004A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2460001262.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1254325811.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eiQXaKJ75nCjEWn.exe PID: 1660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7260, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.2e17440.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.5620000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.2e067c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.5620000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.2e067c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.2e17440.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.2dd35a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.3059560.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.3058548.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eiQXaKJ75nCjEWn.exe.305b578.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1256118946.0000000005620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1251727408.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1251727408.000000000301E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	2 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	1 Input Capture	1 Process Discovery	Remote Desktop Protocol	1 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	1 Credentials in Registry	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	2 Data from Local System	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
eiQXaKJ75nCjEWn.exe	53%	ReversingLabs	ByteCode-MSIL.Trojan.SnakeKeyLogger
eiQXaKJ75nCjEWn.exe	49%	Virustotal		Browse
eiQXaKJ75nCjEWn.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
bg.microsoft.map.fastly.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://r3.i.lencr.org/03	0%	Avira URL Cloud	safe
http://mail.pu.edu.af	0%	Avira URL Cloud	safe
http://r3.i.lencr.org/03	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	0%, Virustotal, Browse	unknown
mail.pu.edu.af	103.132.98.224	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://r3.o.lencr.org0	MSBuild.exe, 00000005.00000002.2458821017.0000000000FD6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2460001262.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2463257536.00000000060CE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.pu.edu.af	MSBuild.exe, 00000005.00000002.2460001262.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	eiQXaKJ75nCjEWn.exe, 00000000.00000002.1254325811.0000000004A11000.00000004.00000800.00020000.00000000.sdmp, eiQXaKJ75nCjEWn.exe, 00000000.00000002.1254325811.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2457876950.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	MSBuild.exe, 00000005.00000002.2458821017.0000000000FD6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2460001262.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2463257536.00000000060CE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	MSBuild.exe, 00000005.00000002.2458821017.0000000000FD6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2460001262.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2463257536.00000000060CE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://r3.i.lencr.org/03	MSBuild.exe, 00000005.00000002.2458821017.0000000000FD6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2460001262.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2463257536.00000000060CE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.132.98.224	mail.pu.edu.af	Afghanistan		58469	MOCI-AS-APMinistryofCommunicationITAF	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1436310
Start date and time:	2024-05-04 10:08:56 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	eiQXaKJ75nCjEWn.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winEXE@9/1@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 86 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 199.232.210.172, 13.85.23.206, 72.21.81.240, 52.165.164.15
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target MSBuild.exe, PID 7260 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:09:41	API Interceptor	2x Sleep call for process: eiQXaKJ75nCjEWn.exe modified
10:09:45	API Interceptor	54x Sleep call for process: MSBuild.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.132.98.224	MehGCkAdgaX9oF0.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
103.132.98.224	wsst63fXULoBQTw.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	Zahlungsbeleg 202405029058.vbs	Get hash	malicious	FormBook, GuLoader	Browse	199.232.214.172
	Arrival Notice.pdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	199.232.210.172
	Hesaphareketi-01.exe	Get hash	malicious	AgentTesla	Browse	199.232.210.172
	invoice PDF -2024.gz.vbs	Get hash	malicious	Unknown	Browse	199.232.214.172
	Pedido-Faturado-398731.msi	Get hash	malicious	Unknown	Browse	199.232.214.172
	LFfjUMuUFU.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, XWorm	Browse	199.232.210.172
	https://www.67rwzb.cn/	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://jingxinwl.com/	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://nthturn.com/	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://bshgjc.com/	Get hash	malicious	Unknown	Browse	199.232.214.172
mail.pu.edu.af	MehGCkAdgaX9oF0.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	103.132.98.224
mail.pu.edu.af	wsst63fXULoBQTw.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	103.132.98.224

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MOCI-AS-APMinistryofCommunicationITAF	MehGCkAdgaX9oF0.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	103.132.98.224
MOCI-AS-APMinistryofCommunicationITAF	wsst63fXULoBQTw.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	103.132.98.224

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	0e46.scr.exe	Get hash	malicious	AgentTesla	Browse	173.222.162.55
	Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765.exe	Get hash	malicious	AgentTesla	Browse	173.222.162.55
	Dekont.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	173.222.162.55
	#U00d6deme tavsiyesi.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	173.222.162.55
	E7236252-receipt.vbs	Get hash	malicious	XWorm	Browse	173.222.162.55
	4365078236450.LnK.lnk	Get hash	malicious	Unknown	Browse	173.222.162.55
	Pedido-Faturado-398731.msi	Get hash	malicious	Unknown	Browse	173.222.162.55
	SecuriteInfo.com.Win32.Dropper-CHS.435.30054.exe	Get hash	malicious	Unknown	Browse	173.222.162.55
	SecuriteInfo.com.W32.A-62389890.Eldorado.13265.15378.exe	Get hash	malicious	Unknown	Browse	173.222.162.55
	SecuriteInfo.com.W32.Tfr.F.tr.27075.5245.exe	Get hash	malicious	Unknown	Browse	173.222.162.55

Process:	C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.953189410881907
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	eiQXaKJ75nCjEWn.exe
File size:	702'464 bytes
MD5:	3fee7d5c6b2adb59a462e7f51004c8ec
SHA1:	a541bfc296bf972506fb4400f0199edc39b144ee
SHA256:	268c36f27645590a64c285888fa50d84b06183a27f4c92d598f269790286253a
SHA512:	0ae3280681b1db7945f49e538a2618b43cd0fa28cf139bb494153d1147e55b9e4d90a5c86af940ed8386072b5cc9ac640a2f5caed296d41b2b34c39b9a9b585f
SSDEEP:	12288:V3/T3/fVrTtK3/6k8d5VA/GhMQOEV5gZfR5x52GfLa09pgM+Vjp1DRaTmqIHN1Ts:VrXVrTtKSzVAeOUa5r52GfLaUbC1bqMy
TLSH:	66E4224E77CA5B35CA3FB3F005458A8063F13526B861E61A7E9D25C92CD6F218F903A7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Gd3f..............0..x...8........... ........@.. ....................................@................................

File Icon


Icon Hash:	0773f1fcfccc6113

Static PE Info

General

Entrypoint:	0x4a901e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66336447 [Thu May 2 10:00:39 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
aaa
inc edi
aaa
dec eax
xor eax, 42000000h
xor eax, 4E343531h
xor eax, 32414939h
dec ecx
aaa
aaa
inc ebp
xor al, 56h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa8fcc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xaa000	0x2ce4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xae000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa7044	0xa7800	4d8fac92fa2784a56bfea99c57228433	False	0.959100979477612	data	7.9724800598562675	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xaa000	0x2ce4	0x3000	8bdde29d020c07ce5c2a20e5754a0e1b	False	0.8715006510416666	data	7.429580991951343	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xae000	0xc	0x800	94cbc119202bb68b3961e163cd6e7ce9	False	0.015625	data	0.03037337037012526	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xaa100	0x26cd	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9980871841336958
RT_GROUP_ICON	0xac7e0	0x14	data	1.05
RT_VERSION	0xac804	0x2e0	data	0.44565217391304346
RT_MANIFEST	0xacaf4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2024 10:09:38.481134892 CEST	49671	443	192.168.2.10	204.79.197.203
May 4, 2024 10:09:38.792804956 CEST	49671	443	192.168.2.10	204.79.197.203
May 4, 2024 10:09:39.402147055 CEST	49671	443	192.168.2.10	204.79.197.203
May 4, 2024 10:09:39.683434010 CEST	49674	443	192.168.2.10	173.222.162.55
May 4, 2024 10:09:39.685877085 CEST	49675	443	192.168.2.10	173.222.162.55
May 4, 2024 10:09:40.605201006 CEST	49671	443	192.168.2.10	204.79.197.203
May 4, 2024 10:09:43.011481047 CEST	49671	443	192.168.2.10	204.79.197.203
May 4, 2024 10:09:46.178925037 CEST	49706	587	192.168.2.10	103.132.98.224
May 4, 2024 10:09:46.613029957 CEST	587	49706	103.132.98.224	192.168.2.10
May 4, 2024 10:09:46.613121986 CEST	49706	587	192.168.2.10	103.132.98.224
May 4, 2024 10:09:46.746184111 CEST	49677	443	192.168.2.10	20.42.65.85
May 4, 2024 10:09:47.089606047 CEST	49677	443	192.168.2.10	20.42.65.85
May 4, 2024 10:09:47.698967934 CEST	49677	443	192.168.2.10	20.42.65.85
May 4, 2024 10:09:47.823982000 CEST	49671	443	192.168.2.10	204.79.197.203
May 4, 2024 10:09:48.061649084 CEST	587	49706	103.132.98.224	192.168.2.10
May 4, 2024 10:09:48.105245113 CEST	49706	587	192.168.2.10	103.132.98.224
May 4, 2024 10:09:48.186958075 CEST	49706	587	192.168.2.10	103.132.98.224
May 4, 2024 10:09:48.620254040 CEST	587	49706	103.132.98.224	192.168.2.10
May 4, 2024 10:09:48.620276928 CEST	587	49706	103.132.98.224	192.168.2.10
May 4, 2024 10:09:48.667723894 CEST	49706	587	192.168.2.10	103.132.98.224
May 4, 2024 10:09:48.669600010 CEST	49706	587	192.168.2.10	103.132.98.224
May 4, 2024 10:09:48.902188063 CEST	49677	443	192.168.2.10	20.42.65.85
May 4, 2024 10:09:49.103806973 CEST	587	49706	103.132.98.224	192.168.2.10
May 4, 2024 10:09:49.152137995 CEST	49706	587	192.168.2.10	103.132.98.224
May 4, 2024 10:09:49.213778019 CEST	49706	587	192.168.2.10	103.132.98.224
May 4, 2024 10:09:49.292715073 CEST	49674	443	192.168.2.10	173.222.162.55
May 4, 2024 10:09:49.292731047 CEST	49675	443	192.168.2.10	173.222.162.55
May 4, 2024 10:09:49.648464918 CEST	587	49706	103.132.98.224	192.168.2.10
May 4, 2024 10:09:49.648489952 CEST	587	49706	103.132.98.224	192.168.2.10
May 4, 2024 10:09:49.648504019 CEST	587	49706	103.132.98.224	192.168.2.10
May 4, 2024 10:09:49.648556948 CEST	49706	587	192.168.2.10	103.132.98.224
May 4, 2024 10:09:49.710568905 CEST	49706	587	192.168.2.10	103.132.98.224
May 4, 2024 10:09:50.144686937 CEST	587	49706	103.132.98.224	192.168.2.10
May 4, 2024 10:09:50.198981047 CEST	49706	587	192.168.2.10	103.132.98.224
May 4, 2024 10:09:50.239800930 CEST	49706	587	192.168.2.10	103.132.98.224
May 4, 2024 10:09:50.674072981 CEST	587	49706	103.132.98.224	192.168.2.10
May 4, 2024 10:09:50.675327063 CEST	49706	587	192.168.2.10	103.132.98.224
May 4, 2024 10:09:51.109024048 CEST	587	49706	103.132.98.224	192.168.2.10
May 4, 2024 10:09:51.110713959 CEST	49706	587	192.168.2.10	103.132.98.224
May 4, 2024 10:09:51.417743921 CEST	49677	443	192.168.2.10	20.42.65.85
May 4, 2024 10:09:51.558415890 CEST	587	49706	103.132.98.224	192.168.2.10
May 4, 2024 10:09:51.558764935 CEST	49706	587	192.168.2.10	103.132.98.224
May 4, 2024 10:09:51.998689890 CEST	587	49706	103.132.98.224	192.168.2.10
May 4, 2024 10:09:51.998976946 CEST	49706	587	192.168.2.10	103.132.98.224
May 4, 2024 10:09:52.471383095 CEST	587	49706	103.132.98.224	192.168.2.10
May 4, 2024 10:09:52.483849049 CEST	587	49706	103.132.98.224	192.168.2.10
May 4, 2024 10:09:52.484118938 CEST	49706	587	192.168.2.10	103.132.98.224
May 4, 2024 10:09:52.917216063 CEST	587	49706	103.132.98.224	192.168.2.10
May 4, 2024 10:09:52.917557955 CEST	587	49706	103.132.98.224	192.168.2.10
May 4, 2024 10:09:52.918416023 CEST	49706	587	192.168.2.10	103.132.98.224
May 4, 2024 10:09:52.918533087 CEST	49706	587	192.168.2.10	103.132.98.224
May 4, 2024 10:09:52.918566942 CEST	49706	587	192.168.2.10	103.132.98.224
May 4, 2024 10:09:52.918596029 CEST	49706	587	192.168.2.10	103.132.98.224
May 4, 2024 10:09:53.351932049 CEST	587	49706	103.132.98.224	192.168.2.10
May 4, 2024 10:09:53.351957083 CEST	587	49706	103.132.98.224	192.168.2.10
May 4, 2024 10:09:53.403772116 CEST	587	49706	103.132.98.224	192.168.2.10
May 4, 2024 10:09:53.448995113 CEST	49706	587	192.168.2.10	103.132.98.224
May 4, 2024 10:09:56.230262041 CEST	49677	443	192.168.2.10	20.42.65.85
May 4, 2024 10:09:57.433408976 CEST	49671	443	192.168.2.10	204.79.197.203
May 4, 2024 10:10:02.687715054 CEST	49672	443	192.168.2.10	173.222.162.55
May 4, 2024 10:10:02.688781977 CEST	49709	443	192.168.2.10	173.222.162.55
May 4, 2024 10:10:02.688829899 CEST	443	49709	173.222.162.55	192.168.2.10
May 4, 2024 10:10:02.688889980 CEST	49709	443	192.168.2.10	173.222.162.55
May 4, 2024 10:10:02.689393044 CEST	49709	443	192.168.2.10	173.222.162.55
May 4, 2024 10:10:02.689408064 CEST	443	49709	173.222.162.55	192.168.2.10
May 4, 2024 10:10:02.995886087 CEST	49672	443	192.168.2.10	173.222.162.55
May 4, 2024 10:10:03.021995068 CEST	443	49709	173.222.162.55	192.168.2.10
May 4, 2024 10:10:03.022070885 CEST	49709	443	192.168.2.10	173.222.162.55
May 4, 2024 10:10:03.605237007 CEST	49672	443	192.168.2.10	173.222.162.55
May 4, 2024 10:10:04.808373928 CEST	49672	443	192.168.2.10	173.222.162.55
May 4, 2024 10:10:05.839618921 CEST	49677	443	192.168.2.10	20.42.65.85
May 4, 2024 10:10:07.214704037 CEST	49672	443	192.168.2.10	173.222.162.55
May 4, 2024 10:10:12.027232885 CEST	49672	443	192.168.2.10	173.222.162.55
May 4, 2024 10:10:21.636523008 CEST	49672	443	192.168.2.10	173.222.162.55
May 4, 2024 10:10:22.175576925 CEST	443	49709	173.222.162.55	192.168.2.10
May 4, 2024 10:10:22.175651073 CEST	49709	443	192.168.2.10	173.222.162.55
May 4, 2024 10:11:25.699975967 CEST	49706	587	192.168.2.10	103.132.98.224
May 4, 2024 10:11:26.133450031 CEST	587	49706	103.132.98.224	192.168.2.10
May 4, 2024 10:11:26.133474112 CEST	587	49706	103.132.98.224	192.168.2.10
May 4, 2024 10:11:26.133675098 CEST	49706	587	192.168.2.10	103.132.98.224
May 4, 2024 10:11:26.142895937 CEST	49706	587	192.168.2.10	103.132.98.224

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2024 10:09:45.680113077 CEST	59752	53	192.168.2.10	1.1.1.1
May 4, 2024 10:09:46.170731068 CEST	53	59752	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 4, 2024 10:09:45.680113077 CEST	192.168.2.10	1.1.1.1	0x17b	Standard query (0)	mail.pu.edu.af	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 4, 2024 10:09:46.170731068 CEST	1.1.1.1	192.168.2.10	0x17b	No error (0)	mail.pu.edu.af	103.132.98.224	A (IP address)	IN (0x0001)	false
May 4, 2024 10:10:02.548126936 CEST	1.1.1.1	192.168.2.10	0x5ec9	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
May 4, 2024 10:10:02.548126936 CEST	1.1.1.1	192.168.2.10	0x5ec9	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
May 4, 2024 10:09:48.061649084 CEST	587	49706	103.132.98.224	192.168.2.10	220 scloud.andc.gov.af ESMTP Postfix
May 4, 2024 10:09:48.186958075 CEST	49706	587	192.168.2.10	103.132.98.224	EHLO 651689
May 4, 2024 10:09:48.620276928 CEST	587	49706	103.132.98.224	192.168.2.10	250-scloud.andc.gov.af 250-PIPELINING 250-SIZE 204800000 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
May 4, 2024 10:09:48.669600010 CEST	49706	587	192.168.2.10	103.132.98.224	STARTTLS
May 4, 2024 10:09:49.103806973 CEST	587	49706	103.132.98.224	192.168.2.10	220 2.0.0 Ready to start TLS

Target ID:	0
Start time:	10:09:40
Start date:	04/05/2024
Path:	C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\eiQXaKJ75nCjEWn.exe"
Imagebase:	0xa80000
File size:	702'464 bytes
MD5 hash:	3FEE7D5C6B2ADB59A462E7F51004C8EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1256118946.0000000005620000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1254325811.0000000004A11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1254325811.0000000004A11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1254325811.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1254325811.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1251727408.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1251727408.000000000301E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:09:41
Start date:	04/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x2c0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:09:41
Start date:	04/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x320000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:09:41
Start date:	04/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x20000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:09:41
Start date:	04/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0xa80000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2460001262.0000000002E18000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2460001262.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2457876950.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2457876950.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2460001262.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2460001262.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	239
Total number of Limit Nodes:	14

Executed Functions

Function 05FDDDE0 Relevance: .6, Instructions: 632COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b4152c7dc31f6f6ae36fcfc0b69d95af8f369165b597c8fdae9b9d543ff9e2f
Instruction ID: cba3d8966e80fce6ee022616209d741a41e0a62dc94ac89ff5fea6a85deb6a49
Opcode Fuzzy Hash: 9b4152c7dc31f6f6ae36fcfc0b69d95af8f369165b597c8fdae9b9d543ff9e2f
Instruction Fuzzy Hash: 11327971B012049FDB19DB65C854BAEBBFBAF89704F184069E646DB390DB39EC01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05FD2FB8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 015a056fb802de7b073f5d715c6492f920c90665eead9f467fabb7f5dbf78d58
Instruction ID: 69a9292f3e0fc06da0abe525c14662f83d15cc9c5acc836cf81700684b8d1fcd
Opcode Fuzzy Hash: 015a056fb802de7b073f5d715c6492f920c90665eead9f467fabb7f5dbf78d58
Instruction Fuzzy Hash: D521D871E15618CBEB48CF6BC94469EFBF7AFC9200F08C5B9D508A6254EB340A458F51

Uniqueness

Uniqueness Score: -1.00%

Function 05FDC1AB Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880bd6111d4562e920980a78305b6a3d07a198abd207372674fb37e44feba434
Instruction ID: 8668405d3b403a024c31b64140f7802addf846813f4b072f3828826002f8f0b3
Opcode Fuzzy Hash: 880bd6111d4562e920980a78305b6a3d07a198abd207372674fb37e44feba434
Instruction Fuzzy Hash: 33A00202D8F10591D4009C1104184B5D03F120B540F4E3003402A3311A052CC5048C7C

Uniqueness

Uniqueness Score: -1.00%

Function 05FDA61C Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05FDA85E

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 47f82e4f0dba047f12d82262ec5bc11db58674384d6038917963615e6f09cbdf
Instruction ID: 521c091e4a1c44cf23bea53d8b6e9346a06f1279399f98c97f9b66007c0d4dc1
Opcode Fuzzy Hash: 47f82e4f0dba047f12d82262ec5bc11db58674384d6038917963615e6f09cbdf
Instruction Fuzzy Hash: 7A915B71D006198FEB20DF68C841BEEFBB3BB48310F198569E849A7240D7789985CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05FDA628 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05FDA85E

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 734b2b8de62113c532a14bd21e77894c6f44fffb17a6be2243395ace4e22953e
Instruction ID: eb9a0ed4ccc65276f999abd0964ee19e96e62cb72b69e1c3fa785aa43768a767
Opcode Fuzzy Hash: 734b2b8de62113c532a14bd21e77894c6f44fffb17a6be2243395ace4e22953e
Instruction Fuzzy Hash: 65915A71D006199FEB20DF68C840BEEFBB2FF44310F198569E849A7240DB789985CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02D7AE48 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02D7B09E

Memory Dump Source

Source File: 00000000.00000002.1251620380.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7e048dc6094bcf405d8078b8f04368f619142ddd958ba089fa92651ff2624370
Instruction ID: f63634ec54a457c51f6e2f25ed5dfee563d8e09f34a9f9983da95b87b75b6bf2
Opcode Fuzzy Hash: 7e048dc6094bcf405d8078b8f04368f619142ddd958ba089fa92651ff2624370
Instruction Fuzzy Hash: 207124B1A00B058FD724DF29D44175ABBF5FF88304F108A2EE48A97B40E779E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02D74508 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02D759E9

Memory Dump Source

Source File: 00000000.00000002.1251620380.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 76de374cce8f2a2eee8083eec7748b1919763b9d990a85942cbe7a94b7764571
Instruction ID: a32cf78f2319550d8db0598aabfebee3d31c9f2673c156539bc7c4b30ebf548b
Opcode Fuzzy Hash: 76de374cce8f2a2eee8083eec7748b1919763b9d990a85942cbe7a94b7764571
Instruction Fuzzy Hash: 5A41F270D04719CBEB24CFA9C884B9DBBF5FF49304F60816AD409AB250DBB5694ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 02D7592D Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02D759E9

Memory Dump Source

Source File: 00000000.00000002.1251620380.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f4585bdf80e6618e0b12ace158694bb1f565a80f0fba997232c6692c5f9c60db
Instruction ID: 14730a10ac2904925e05a10529cd99b583e5ca583ca9800f7235abedc825d176
Opcode Fuzzy Hash: f4585bdf80e6618e0b12ace158694bb1f565a80f0fba997232c6692c5f9c60db
Instruction Fuzzy Hash: B241E071D04719CFEB24CFA9C884B9EBBB1FF49304F60816AD408AB250DBB5694ACF51

Uniqueness

Uniqueness Score: -1.00%

Function 05FDA398 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05FDA430

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e81fef9ea6c18e64e87622f9f3559bd6d657651a5e658107793a3caeb716fc7a
Instruction ID: 6b728b19cf8b9265e8e9ea4efe75b3746026f449e27f08858c86218ede57ae45
Opcode Fuzzy Hash: e81fef9ea6c18e64e87622f9f3559bd6d657651a5e658107793a3caeb716fc7a
Instruction Fuzzy Hash: B0214675D003499FDB10CFAAC884BEEBBF5FF48310F548429E959A7250C7789945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 05FDA3A0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05FDA430

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e2c5ba550eee4adbf339f1919c4c63a591149bb2037f31860533e9aacdddf1ce
Instruction ID: ee3b270aa7408e5e83f4d142a66dcb29c6e4b0e2a2deb251b1671c142a285c53
Opcode Fuzzy Hash: e2c5ba550eee4adbf339f1919c4c63a591149bb2037f31860533e9aacdddf1ce
Instruction Fuzzy Hash: B8212475D003499FDB10DFAAC884BEEBBF5FF48310F14842AE959A7250C7799944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D7D07C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02D7D6EE,?,?,?,?,?), ref: 02D7D7AF

Memory Dump Source

Source File: 00000000.00000002.1251620380.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 87e3b36e324444f0edf78c6a8e5daad8ba31ee55514065d4df492b96c42672e3
Instruction ID: 948952eb49e862eb14622f839ea94cfe735cfa3ee004f14a6fa1b06a5885dde3
Opcode Fuzzy Hash: 87e3b36e324444f0edf78c6a8e5daad8ba31ee55514065d4df492b96c42672e3
Instruction Fuzzy Hash: CA21E4B5900348AFDB10CF9AD584AEEFBF9EF48310F14841AE919A7310D379A954CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05FDA488 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05FDA510

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d8a33e6b6f3a27a7638213cc1a41e82c94e886ae907f6c24a64b60169f36cdba
Instruction ID: d50b6658cb77eadaa6deedbfcd957fe6d8d01f08c4d9583e8e6568f275633d9b
Opcode Fuzzy Hash: d8a33e6b6f3a27a7638213cc1a41e82c94e886ae907f6c24a64b60169f36cdba
Instruction Fuzzy Hash: 4A21F472D003499FDB10DFAAC880BEEBBF5FF48210F148429E959A7240D7799945CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05FD9DC9 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05FD9E4E

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 39756c7af48dcdc342a51b560a6e3daa831aa25cd9f3dd0a2e2a85bb51a5b264
Instruction ID: 1f8d2eaad2a0ef0bb9664b862566f871aa5587d8c0f4355b13bb6d1b26c80f93
Opcode Fuzzy Hash: 39756c7af48dcdc342a51b560a6e3daa831aa25cd9f3dd0a2e2a85bb51a5b264
Instruction Fuzzy Hash: 07213871D003098FDB20DFAAC5857EEFBF5EF48214F148429E519A7241C778A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D7D720 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02D7D6EE,?,?,?,?,?), ref: 02D7D7AF

Memory Dump Source

Source File: 00000000.00000002.1251620380.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7f2b1c7ebf0c43162187bdc9b92cfe2e2f33d6957d6ae3a7960f400894dce0ff
Instruction ID: 8465304d8e27ee13987d5e4c8cf5f5a5bd34c5018b44fbdf65fc8fe2a839c171
Opcode Fuzzy Hash: 7f2b1c7ebf0c43162187bdc9b92cfe2e2f33d6957d6ae3a7960f400894dce0ff
Instruction Fuzzy Hash: 3921E5B5D003089FDB10CF9AD584ADEFBF9EB48310F14841AE914A7310D375A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05FDA490 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05FDA510

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a5b347c5628a259a3c6271fef9ff785badb6d56aecff51b28e6fe6387747f3fa
Instruction ID: db173ce08d5d05250d5dc07aa3e0f950bb64f4599e28ba7c5c74008672822eeb
Opcode Fuzzy Hash: a5b347c5628a259a3c6271fef9ff785badb6d56aecff51b28e6fe6387747f3fa
Instruction Fuzzy Hash: 7221F2B1D003499FDB10DFAAC880BEEBBB5FF48210F14842AE959A7240C77999448BA5

Uniqueness

Uniqueness Score: -1.00%

Function 05FD9DD0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05FD9E4E

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e1a4405bf49c1afcfdde95c6360104b0b08a9ea574334f8025110657ce33d7d6
Instruction ID: 507d640e26c9cb56be73d78129de5b6df86638a4fde34abb04c2c6ec30bca281
Opcode Fuzzy Hash: e1a4405bf49c1afcfdde95c6360104b0b08a9ea574334f8025110657ce33d7d6
Instruction Fuzzy Hash: 99213571D003098FDB20DFAAC484BEEFBF5EF48220F14842AD419A7240CB78A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D7A228 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02D7B119,00000800,00000000,00000000), ref: 02D7B72A

Memory Dump Source

Source File: 00000000.00000002.1251620380.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: daed3ef01ba7f977f6162b2fe57921d07e194443722869035a2d25bed024b8f9
Instruction ID: 2a99f31970a47c3ac5870480e5ad0b740bedb373a0704a4517d02856b30065ae
Opcode Fuzzy Hash: daed3ef01ba7f977f6162b2fe57921d07e194443722869035a2d25bed024b8f9
Instruction Fuzzy Hash: 471103B69003098FDB20DF9AD444BEEFBF4EB48314F10842AE959A7300D379A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05FDA2D8 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05FDA34E

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f9b49f957a08c5d3735f67e7f7d40d0875bb4c60791639dab2297dbc114050bd
Instruction ID: 57a35823edcd60b8e86c51af50554f617e72b814a8f28d1e63ac14abbc45644c
Opcode Fuzzy Hash: f9b49f957a08c5d3735f67e7f7d40d0875bb4c60791639dab2297dbc114050bd
Instruction Fuzzy Hash: D8114776D003488FDB20DFAAD844BDEBBF6EF48314F288419E959A7250C77A9541CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D7B6BA Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02D7B119,00000800,00000000,00000000), ref: 02D7B72A

Memory Dump Source

Source File: 00000000.00000002.1251620380.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 563c0bd7d8e52aaa2a77ae457aa807c69c1ad849fbe2ed7cca1f13195e1745b8
Instruction ID: 6b673e2eeb7d9f7ebe8e8edbf1024716b8eec5abe335df0dead28d7a61111a80
Opcode Fuzzy Hash: 563c0bd7d8e52aaa2a77ae457aa807c69c1ad849fbe2ed7cca1f13195e1745b8
Instruction Fuzzy Hash: 4C11E4B69003099FDB14CF9AD444BDEFBF8EB48314F14842AE559A7300C379A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05FDA2E0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05FDA34E

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d5ce520d114289457b11a6c1e4db1317a3a9294df9b89a949aa2e773c776c4a4
Instruction ID: 06af2f22519001a868e0ed51a29a7c52c04a5b6c8a6ba48a2e1b6665dae48abd
Opcode Fuzzy Hash: d5ce520d114289457b11a6c1e4db1317a3a9294df9b89a949aa2e773c776c4a4
Instruction Fuzzy Hash: 5D112975D003499FDB20DFAAC844BDEFBF6EF48310F248419E955A7250C77A9544CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 05FD9D18 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05FD9D82

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 712a953c9a14ae5830eca23496754b6bc292a48373f4b052d70a11d3706f89b7
Instruction ID: 273726c0946c17966200b36f54e955fe42f70771d95c035111880e0229a712ec
Opcode Fuzzy Hash: 712a953c9a14ae5830eca23496754b6bc292a48373f4b052d70a11d3706f89b7
Instruction Fuzzy Hash: A1116AB1D043488FDB20DFAAC4447EEFBF5EF88320F248419D819A7244CB79A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05FDDD8C Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,05FDE891,?,?), ref: 05FDEA38

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 062273be3ff3f44d72227c21670f518be425d0a4232641d0659eed388b17b1e0
Instruction ID: 1c33dd5cecbb196215cc89f9198f8968298d0bec8deb016c205dfad73e6e1751
Opcode Fuzzy Hash: 062273be3ff3f44d72227c21670f518be425d0a4232641d0659eed388b17b1e0
Instruction Fuzzy Hash: 071128B68003498FCB10DF9AC445BDEFBF9EB48320F248419E959A7240D379A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05FD9D20 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05FD9D82

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9ca52cbfe63a0f9aa2178873a076aa4d9c2fe24ef19fbce042470f636eb4f716
Instruction ID: 8618bddee61dba0382f398fd3b233ebe3fa2648de67a2cb42127dac45e941b7e
Opcode Fuzzy Hash: 9ca52cbfe63a0f9aa2178873a076aa4d9c2fe24ef19fbce042470f636eb4f716
Instruction Fuzzy Hash: FD1136B1D003488FDB24DFAAC4447EEFBF5EF88324F248419D459A7244CB79A944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D7B038 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02D7B09E

Memory Dump Source

Source File: 00000000.00000002.1251620380.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 847071b8cb62436f34bc2f3adb432c396144b943e889a1c007a51dba3aa6181d
Instruction ID: 19e91eed42e03eaa43db2215378ee419b3529f4a095e70efe1b5a9ee65ca81c4
Opcode Fuzzy Hash: 847071b8cb62436f34bc2f3adb432c396144b943e889a1c007a51dba3aa6181d
Instruction Fuzzy Hash: 1F11FDB6D002498BCB20CF9AC444BDEFBF4AB88314F20842AD829A7200D379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05FDCC60 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05FDD345

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 42ab6f58fc5bf66eaabbdcc8c3d7c0077fc0afb853d1ade32dd29bf1dc13b158
Instruction ID: 565c590fd7554bc8aa95e8ea1d72ddbad06f2912d46f6a586c9dd4524760e540
Opcode Fuzzy Hash: 42ab6f58fc5bf66eaabbdcc8c3d7c0077fc0afb853d1ade32dd29bf1dc13b158
Instruction Fuzzy Hash: 4C1106B5804349DFDB10DF9AC485BDEFBF8EB48310F148419E959A7200C379A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05FDE9D9 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,05FDE891,?,?), ref: 05FDEA38

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 072169ddc0c15223617b5dfe122ca932c626c7f9245e7a846cc983972dfcfb59
Instruction ID: 0dc4099b8c3a5c947e7d26a1625690bfdee0dd00aedc2b0a3e6d30546db32111
Opcode Fuzzy Hash: 072169ddc0c15223617b5dfe122ca932c626c7f9245e7a846cc983972dfcfb59
Instruction Fuzzy Hash: 511125B5800309CFCB20DF9AD1447DEFBF5EB48320F24841AD958A7240C338A544CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05FDD2E1 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05FDD345

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3b8541b0642f1c78d419c4e1a2768ae7841a4d3a848c002203e61b70456808e4
Instruction ID: 1e54ff6fdf0c6fd8d1a578b949707105850baeb4f296ae6bf393a51dce7d35d1
Opcode Fuzzy Hash: 3b8541b0642f1c78d419c4e1a2768ae7841a4d3a848c002203e61b70456808e4
Instruction Fuzzy Hash: E611F2B6800349CFDB10CF99D884BDEFBF8EB48310F24841AE919A7600C379A544CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 010FD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1250132164.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10fd000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bedc363f07ef16ae4a7c86f42e7a30683cf193264a2b5f04e9867446073d1385
Instruction ID: 680ecc054375855c50b239f8db1e764a95a77baa50b9e762cb6a16f65f35a860
Opcode Fuzzy Hash: bedc363f07ef16ae4a7c86f42e7a30683cf193264a2b5f04e9867446073d1385
Instruction Fuzzy Hash: ED216AB1500240DFDB05DF54D8C5B2ABFA1FB84718F24C1ADDA450B646C336D446CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 010FD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1250132164.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10fd000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4587a0d3766a74da93b446e556db4347fa6b6a70d1949a23a3578681d380493f
Instruction ID: 6925727d9d4692603df1d00dca921a1aa53002fcbdeb5b53496454d1d2016b8b
Opcode Fuzzy Hash: 4587a0d3766a74da93b446e556db4347fa6b6a70d1949a23a3578681d380493f
Instruction Fuzzy Hash: BA2148B1500204DFDB05DF44C9C1B5ABBA5FB84324F24C1ADEA4A0B646C73AF446CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0110D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1250537918.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110d000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a241f92d848990864c075116b3d361a633d78ff7a3a7926b50e8a00a93f0593c
Instruction ID: 14d196b0e70e73e808712af9c90591c4cbdaf157972d9fcff104bfb98716e570
Opcode Fuzzy Hash: a241f92d848990864c075116b3d361a633d78ff7a3a7926b50e8a00a93f0593c
Instruction Fuzzy Hash: 5D212971904304EFDF0ADFD4E5C0B25BBA5FB84324F24C56DE90A4B296C3B6D446CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0110D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1250537918.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110d000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02fa1c8b108432dbac9e4c37de91944ed8d581c4922ca5de1c2871d6df5a5e92
Instruction ID: 56ef6ca504c0d89c68423ccedd957926d3eb58b67a8e03d672d78e63d30d2423
Opcode Fuzzy Hash: 02fa1c8b108432dbac9e4c37de91944ed8d581c4922ca5de1c2871d6df5a5e92
Instruction Fuzzy Hash: A4212571A04304DFDF1ADF94E880B16BB65EB84314F24C56DD80E4B28AC3B7D447CA62

Uniqueness

Uniqueness Score: -1.00%

Function 010FD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1250132164.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10fd000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction ID: a9246a4d76db78df252d66be36ae8a2360c983e0417b604ec9e6b99a9f373188
Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction Fuzzy Hash: 1511CD76404240CFDB12CF44D5C0B56BFB1FB84224F2482A9D9490AA56C33AE456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 010FD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1250132164.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10fd000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction ID: 8115383f01a55fd0ea7e0025a349573ba91b2300e30e8ba3a5a9e107e8b1b291
Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction Fuzzy Hash: 6F11DF76404280CFCB12CF54D5C4B16BFB1FB84714F24C6ADD9490B656C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0110D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1250537918.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110d000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction ID: 2423b67bcf1bc35b7d1ad4828d04776e51dc9b7d80c2e83c6bd42dcaa2ce6f0f
Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction Fuzzy Hash: C211BE75904280CFDB16CF54E5C4B15BB61FB44314F24C6AAD8494B69AC37AD40ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0110D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1250537918.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110d000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction ID: 6d890a7f4355ba242869e924685af5bfe9848de60876bc8546a073e05759f1de
Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction Fuzzy Hash: 6411BB75904280DFDB16CF98D5C0B15BBB1FB84224F28C6AAD8494B696C37AD40ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 010FD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1250132164.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10fd000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbef0eaa56d28f5b6ea359bc51b127ff5abff53df23274566afa9f399a4ed4c4
Instruction ID: ec08686c4144df8ebecb9b0f077e31db47660cbded29ffad3fe012dab776c365
Opcode Fuzzy Hash: bbef0eaa56d28f5b6ea359bc51b127ff5abff53df23274566afa9f399a4ed4c4
Instruction Fuzzy Hash: 1D01F7711043809BE7205E95CD84B6ABBD8FF42264F18C55EEF890E686E2799440CB72

Uniqueness

Uniqueness Score: -1.00%

Function 010FD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1250132164.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10fd000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1999ed16fc1c8c82a4a8d842acf64f8a880691d46e2b193e9089e9cd71ee2288
Instruction ID: 060cfc5ab51e577735c7a88c32c38369da89e94443f062fa7c7735405e83ddfc
Opcode Fuzzy Hash: 1999ed16fc1c8c82a4a8d842acf64f8a880691d46e2b193e9089e9cd71ee2288
Instruction Fuzzy Hash: 81F0C2714043809EE7208E1AC8C4B66FFD8FB81234F18C55AEE880F697D2799844CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05FD94F8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 084c7110f66794d825ffe4438435c1e3a4dda6817de97f5468d2c8c082c09558
Instruction ID: 88caddc0a22b5d9511dde8b84f9bbd7306b66d9ff4c2fbb3c0d88a5f91dc1e03
Opcode Fuzzy Hash: 084c7110f66794d825ffe4438435c1e3a4dda6817de97f5468d2c8c082c09558
Instruction Fuzzy Hash: 61E11574E04219CFDB14DFA9C680AAEFBB2BF89304F2481A9D414AB355D775AD41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05FD7428 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa38b8f76742a96b29a2003c4c87495afd6c57f94ebe5d48dbc16ae31cb8748e
Instruction ID: 57a06c1a17e60113f4425d1b975c397fb9e6f32dc02bb4f9fa0adc2f44432071
Opcode Fuzzy Hash: fa38b8f76742a96b29a2003c4c87495afd6c57f94ebe5d48dbc16ae31cb8748e
Instruction Fuzzy Hash: 35E1E474E042198FDB14DFA9C580AAEFBB2FF89304F2481A9D414AB355D735AD41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05FD90C0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26654eb53b746477ff84863cb0d75b86dae1a2bc22607a2cfede87e59c7a7678
Instruction ID: 85f9e5dbadc9b3a9eb539a8b1ed51ea5b5892d170805510eca6d334feb72f3fa
Opcode Fuzzy Hash: 26654eb53b746477ff84863cb0d75b86dae1a2bc22607a2cfede87e59c7a7678
Instruction Fuzzy Hash: CEE10874E04219CFDB14DFA9C680AAEFBB2BF89304F2481A9D414AB355D774AD41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 05FD9EA8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2666fcbaba2bcd0f89de031f044bc544c868159a46235ffde081fab16aed3ea
Instruction ID: 837a9e4930256821d510db9f6e3bd930cceeb2a401fc28e290d5e0dd8520e9bd
Opcode Fuzzy Hash: e2666fcbaba2bcd0f89de031f044bc544c868159a46235ffde081fab16aed3ea
Instruction Fuzzy Hash: D0E13574E04219CFDB14DFA9C580AAEFBB2BF89300F2481AAD454AB355D735AD41CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05FD7860 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f73e00425c8f2a7c9705685a6e8c1ae514f9d5634ed5a2e0f4d19ec4ae084ddf
Instruction ID: c9a06df79059e3d4ddb5b276836cb49a31a1abd370cb157176044227b5b959ea
Opcode Fuzzy Hash: f73e00425c8f2a7c9705685a6e8c1ae514f9d5634ed5a2e0f4d19ec4ae084ddf
Instruction Fuzzy Hash: 9EE10675E002198FDB14DFA9C580AAEFBB2FF89304F2481A9D414AB356D735AD41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05FDDDD0 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 780a08654fb11b10821aaf789b0a7f03b63a92ebe66e04ad8107a09bf5f73a25
Instruction ID: e7fa495aa4bc7d9779429e894233f3f67617f249d885754de7c6e11eeb427dbd
Opcode Fuzzy Hash: 780a08654fb11b10821aaf789b0a7f03b63a92ebe66e04ad8107a09bf5f73a25
Instruction Fuzzy Hash: 5DB16A71B006048FEB25EB75C864B6EB7BBAF89704F18446DD246DB390DB39E901CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02D7EFC4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251620380.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f62cab460c52cbc723ba48387523669ff3f573f313c845ab72c713e24a7ced91
Instruction ID: 3e846da0e44ed0d7781e39893067dc914140342bae63e283a5d8f7ff0401f9b2
Opcode Fuzzy Hash: f62cab460c52cbc723ba48387523669ff3f573f313c845ab72c713e24a7ced91
Instruction Fuzzy Hash: 7AA15A32E002158FCF25DFA4C8406AEB7B2FF85304B25856AE805AB361EB75ED56CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05FD0BC0 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b1e2d3982c9cd46d1be1cddcd36b33559c144f7ae0c4515987deb3337a9f693
Instruction ID: 2585603dbf425e6c1d3c656f96d72a5ceec9a2f34b7ff890e97f15e6f41b1394
Opcode Fuzzy Hash: 9b1e2d3982c9cd46d1be1cddcd36b33559c144f7ae0c4515987deb3337a9f693
Instruction Fuzzy Hash: 7551E374E051199FCB04DFAAD5849AEFBF6BF88300F18C166D409A7315DB34A942CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05FD7423 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 198327951b6d2d8e92151522037e5d8c75a504b4f17c04acc363e92c6ff9504d
Instruction ID: e4f8ded3f493dfd753d7640b7f82806d2c77edf3f983e1481510e0a34dac4df7
Opcode Fuzzy Hash: 198327951b6d2d8e92151522037e5d8c75a504b4f17c04acc363e92c6ff9504d
Instruction Fuzzy Hash: 3B51E875E042198BDB18DFA9C5806AEFBF3FF89304F2481AAD418AB315D7359941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05FD0BB0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 134a22a5ae83f3d8b5c112038721ac2e474f24106bae73d90385876b92717c0c
Instruction ID: 4743b25272ca31960e606ddfc34e3d22c9b6bc996236034e67e14a5fd490f3cc
Opcode Fuzzy Hash: 134a22a5ae83f3d8b5c112038721ac2e474f24106bae73d90385876b92717c0c
Instruction Fuzzy Hash: 1441F875E055189FDB08DFAAD9856AEFBF2FF88300F18D02AD408A7354EB349942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05FD2FA8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1256492007.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd0000_eiQXaKJ75nCjEWn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0bfdb8c2627dacdd345a1fd7eb12557706cb783c70cf48f8941ac82f08e0d07
Instruction ID: 9af45ff38785f301ffe230b31edd564b3f1e9398483fb879bb59b16f2d9d6641
Opcode Fuzzy Hash: f0bfdb8c2627dacdd345a1fd7eb12557706cb783c70cf48f8941ac82f08e0d07
Instruction Fuzzy Hash: 2611ECB2E116589BEB08CF6BCC0579EFBF7AFC9200F18C079D908A6254EB3406468F51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MSBuild.exePID: 7260, Parent PID: 1660COMMON

Executed Functions

Function 01329BE8 Relevance: 3.0, Instructions: 3022COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d7d7fa11f54f2b9ef13af0505a2fce0baf54a3240b923e3e913e44e7ee31c8b
Instruction ID: 4f5a5ce042112e8a867fed0067bff346b41f728a19ac71f9c8f8fae0aa45effc
Opcode Fuzzy Hash: 1d7d7fa11f54f2b9ef13af0505a2fce0baf54a3240b923e3e913e44e7ee31c8b
Instruction Fuzzy Hash: 47630831D10B1A8ADB11EF68C8806A9F7B1FF99300F55D79AE45977121EB70AAC4CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0132CE70 Relevance: 2.3, Instructions: 2308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8893ce0748c99a0d5f2346b2791e8f9ef7d4eb321368642d7a70c25178fc6823
Instruction ID: 74b00b0bc789937f3c23dd16893c468381ceb3063a70f3cca48fdfae930d12ca
Opcode Fuzzy Hash: 8893ce0748c99a0d5f2346b2791e8f9ef7d4eb321368642d7a70c25178fc6823
Instruction Fuzzy Hash: 2C331C31D107198EDB11EF68C880AADF7B1FF99300F15D79AE459A7211EB70AAC5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01323E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\V{m, xrefs: 013240CB

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID: \V{m
API String ID: 0-929464540
Opcode ID: ea6b33671bbf2264ce88d142043b937aa5979ca15966a221e0ef1f34124ac771
Instruction ID: 4ccfc757f83e17e53d6a293efb193e4d042b2e5163e3e1cd0d69748239daa79b
Opcode Fuzzy Hash: ea6b33671bbf2264ce88d142043b937aa5979ca15966a221e0ef1f34124ac771
Instruction Fuzzy Hash: 7E918F70E00219DFDF14DFA9D9857DEBBF2BF48718F248129E405A7254EB789886CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01329370 Relevance: .6, Instructions: 616COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e2f3a13d46b84239d3518463d0e0b7efd39d92d583d0e6b878947231baf6ad
Instruction ID: 3c6d58c543bfd73ce98405885282c8d2734795dad559f95ad3202468e489bd00
Opcode Fuzzy Hash: 94e2f3a13d46b84239d3518463d0e0b7efd39d92d583d0e6b878947231baf6ad
Instruction Fuzzy Hash: 2C327034A002248FDB15EF69D4847ADBBB2FF88318F248569E906EB395DB71EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01324A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5342bbcfd7e6b34b3c4afe1da620b9ca6cf313f4970fd24acca76ba3606fb3be
Instruction ID: 1775db970ab20bedaa4171bc2e1f8ba2af23799b958fa4a0ea4c2f1480a3fa0d
Opcode Fuzzy Hash: 5342bbcfd7e6b34b3c4afe1da620b9ca6cf313f4970fd24acca76ba3606fb3be
Instruction Fuzzy Hash: E4B17D70E002299FDF14DFADD8817ADBBF2BF88358F148129D815E7294EB749885CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01324810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

\V{m, xrefs: 013249D2
\V{m, xrefs: 0132487F

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID: \V{m$\V{m
API String ID: 0-2571113180
Opcode ID: 1c56142ab2a306ed44681e575f10bec76a913c0a293269e52cd834ddce517e12
Instruction ID: bbab0fb81b4abebe0df7352963152f38a7b9fd28e7ddcda0fc3ce59225875b1d
Opcode Fuzzy Hash: 1c56142ab2a306ed44681e575f10bec76a913c0a293269e52cd834ddce517e12
Instruction Fuzzy Hash: 50718D70E00259CFEB14EFA9D88079EBFF2BF88718F148129E415A7254EB749846CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01324805 Relevance: 2.7, Strings: 2, Instructions: 178COMMON

Download Yara Rule

Strings

\V{m, xrefs: 013249D2
\V{m, xrefs: 0132487F

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID: \V{m$\V{m
API String ID: 0-2571113180
Opcode ID: b0d7c4a2bb494c3041eb2c2f23c27de9467948b5c14c70c5bf241f0b416218f5
Instruction ID: ebc3c8b2b0223e1b69317c7ad987c5552291e02dbb03ab382f43e8e5b446d6c3
Opcode Fuzzy Hash: b0d7c4a2bb494c3041eb2c2f23c27de9467948b5c14c70c5bf241f0b416218f5
Instruction Fuzzy Hash: BC718CB0E00259CFEB14DFA9D8807DEBFF2BF48718F148129E415A7254EB749846CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01323E74 Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

\V{m, xrefs: 013240CB

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID: \V{m
API String ID: 0-929464540
Opcode ID: c1620cbb41fc6a17fd6e2aad34ecd4596ff10f9d2c8e07786987c815bd19d8da
Instruction ID: 7321177002e08b089023495dd902262d999fb9d34a041e445389f0b4449c6d92
Opcode Fuzzy Hash: c1620cbb41fc6a17fd6e2aad34ecd4596ff10f9d2c8e07786987c815bd19d8da
Instruction Fuzzy Hash: ED918F70E00219DFDB10DFA9D985BDDBBF2BF48718F248129E415A7254EB789886CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01327903 Relevance: .6, Instructions: 553COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30d2a5901983eb0cffbfcca74825bc0664ce220d23c7add7b949f872f7c6dcc8
Instruction ID: 6012b4c09869c59d521a0b231ab4282cf29365374f03caa0f6023b0ad307620c
Opcode Fuzzy Hash: 30d2a5901983eb0cffbfcca74825bc0664ce220d23c7add7b949f872f7c6dcc8
Instruction Fuzzy Hash: F91284317006019BDB16B738E89422D33A7FB8A359B608D7AE006CB755CF75DC8ADB91

Uniqueness

Uniqueness Score: -1.00%

Function 01324A8C Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e03c527f89d8bd8c43f21b0b0791aa5b9f38782fceab6ebb00f9b985aa6e67
Instruction ID: 4afdd8af224bb0d2bd770dfc12dece8c512fd0e350f315bd2cc223b3289cfa95
Opcode Fuzzy Hash: 21e03c527f89d8bd8c43f21b0b0791aa5b9f38782fceab6ebb00f9b985aa6e67
Instruction Fuzzy Hash: D9B17B70E002299FDF11DFADD8857DDBBF2BF48358F248129D814AB294EB749885CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0132935C Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb8bb2bbc50886be6bc8d304dd3b73ceddfc46a1962d7167a18c1d3adac64e54
Instruction ID: bd84af55449817e292646554a68e502d603e17aec875b469ca9ca5738c8c6364
Opcode Fuzzy Hash: cb8bb2bbc50886be6bc8d304dd3b73ceddfc46a1962d7167a18c1d3adac64e54
Instruction Fuzzy Hash: DB916F34A002248FDB15EB68D584BADBBF2FF88318F148569E906E7365CB31EC46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01326ED3 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe26d8ff6a9382ebd971df58a36d173cf25eec6e9e0e93ee586757e61815cd62
Instruction ID: 8970f34f87de7a048bbfcf6822de90462e27ff3da435dd1c96a5a429bf879ddc
Opcode Fuzzy Hash: fe26d8ff6a9382ebd971df58a36d173cf25eec6e9e0e93ee586757e61815cd62
Instruction Fuzzy Hash: FB51C730E002559FDB15EB78C4517AEBBB2FF8A304F2084AAE405EB351DB759C4ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 01326CE0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a878b7505f92dd4acb5a113c731f57f1aa4593742e352bb492b8d578e0e86fce
Instruction ID: f44803247973704c731d4598f7ba1428d970febbac92379652f347b02551d697
Opcode Fuzzy Hash: a878b7505f92dd4acb5a113c731f57f1aa4593742e352bb492b8d578e0e86fce
Instruction Fuzzy Hash: 0E5124B0D00228CFDB18DFA9C885B9DBBB1BF48314F54812AE819AB351D774A844CF95

Uniqueness

Uniqueness Score: -1.00%

Function 01326CDB Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1dfd2bcc49976ea152f1f8b184b8a332a810b3bde017bbee9f95819e624e121
Instruction ID: 6df15a50f54e8fe9916d214385efd9667b25286b3efb3a8a9603268dd061ce4d
Opcode Fuzzy Hash: c1dfd2bcc49976ea152f1f8b184b8a332a810b3bde017bbee9f95819e624e121
Instruction Fuzzy Hash: 175125B4D00228CFDB18DFA9C885B9DBBB1BF48314F54812AD819BB351D774A845CF95

Uniqueness

Uniqueness Score: -1.00%

Function 01321110 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4035ccf2efd49a94b784671df8e99734b2ce9950becc95d97d137bb3ba2bfecc
Instruction ID: 333f476fc462eac19079f16c8c04bc26a5ed931c9cf63d511a1385528c5daaef
Opcode Fuzzy Hash: 4035ccf2efd49a94b784671df8e99734b2ce9950becc95d97d137bb3ba2bfecc
Instruction Fuzzy Hash: 18517E76911A868FD706FB2DFA81A4A3B72B74730534089ACD1854B37ADB706C85CF92

Uniqueness

Uniqueness Score: -1.00%

Function 013226DC Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c01a370808239551c525b34e2b20810e1554e79db16f2fc9e4077d7e66a9a3df
Instruction ID: 94330179962f2b301be0e71f2d0ffd2ca254c9661b6d455ec94de2fb656cdccd
Opcode Fuzzy Hash: c01a370808239551c525b34e2b20810e1554e79db16f2fc9e4077d7e66a9a3df
Instruction Fuzzy Hash: 2D511271D003198FEB24DFA9C884BDEBBF1EF48314F248029E419AB254DB759946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01321138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb3288b4564f513c558c78c4702cfe598411dc0374354644d0bcb0643f5b46e5
Instruction ID: 003b6b5a494efda6f25cc742725baf6bd82f9fbaa16f73f66ee41d2a29abbae2
Opcode Fuzzy Hash: eb3288b4564f513c558c78c4702cfe598411dc0374354644d0bcb0643f5b46e5
Instruction Fuzzy Hash: 75512836A11A468FD706FB2DFA80A4A3B76B797301340896CD1854B37ADB707D85CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0132F3AD Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c4c60c7b0e896e4a402bab71ab90976c4c505d9b5e3350c357ed8da059d5c23
Instruction ID: 45f004998c4b4bcdc66d8281067fc72fc04218cbeff95a747884a0ea4e6a4ac4
Opcode Fuzzy Hash: 1c4c60c7b0e896e4a402bab71ab90976c4c505d9b5e3350c357ed8da059d5c23
Instruction Fuzzy Hash: 9531F2307002158FDB16AB38D4147AE7BB6AF89618F24456CD402EB396EF76CC4ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 013296D8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bbd7c6a74d6100762b923c28b6b3ba9b80172a6ee4b4627f8eade4437b67039
Instruction ID: 914ed9720eb23024fea34009c0401ba5aa806f0eae8fcf2566f25d597df5527a
Opcode Fuzzy Hash: 9bbd7c6a74d6100762b923c28b6b3ba9b80172a6ee4b4627f8eade4437b67039
Instruction Fuzzy Hash: EF317274E002398BDF25AEADD98077EBB66FB85318F20442AD51AD7381DA35DC81C791

Uniqueness

Uniqueness Score: -1.00%

Function 0132F3C0 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ee7884a7176c0936b1a12cf620a062ad1c6a4f733c341903a3c6a864ccc3195
Instruction ID: 420990e3f3ff27be6e4cf0a9b1e322561d362ea248161009254cbd71ddc03097
Opcode Fuzzy Hash: 2ee7884a7176c0936b1a12cf620a062ad1c6a4f733c341903a3c6a864ccc3195
Instruction Fuzzy Hash: 1B31EF307002198FDB19AB38D81476E7BBAAF89608F60446CD006EB396EF75DC49C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0132F270 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64cdfd26c53b67333ae0182d5cc5c889f3c0e091dc8e1dbbbed8eb8e266fe9ae
Instruction ID: d38b910c2732469a27abf9c872a4b9d0aed466b2750dc36db8a9877cafd1e391
Opcode Fuzzy Hash: 64cdfd26c53b67333ae0182d5cc5c889f3c0e091dc8e1dbbbed8eb8e266fe9ae
Instruction Fuzzy Hash: E0319E35E006159FDB19DFA8D89469EBBB6FF89304F108559E806E7341EF70AC46CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01326F70 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c72ee1865d464952e65db593d9642448acfe2900b62f1b33973fbe74c3ba923e
Instruction ID: 0afdaa2b15076d9948f32da734809d1a2c38a9748e68417981b6c15d8bfd6fc4
Opcode Fuzzy Hash: c72ee1865d464952e65db593d9642448acfe2900b62f1b33973fbe74c3ba923e
Instruction Fuzzy Hash: CE318135E102199FDF15DFA9D4507AEB7B2FF89304F20856AE801E7241EB759949CB40

Uniqueness

Uniqueness Score: -1.00%

Function 013217C0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c300bcaa99876dd31c83e04c527c615aedb208cc9a695b820ccef684e2e87570
Instruction ID: ff83fb767a926010c1ee09e542ecc882246c4ac29c9a145b34b2a46aa27ed4fa
Opcode Fuzzy Hash: c300bcaa99876dd31c83e04c527c615aedb208cc9a695b820ccef684e2e87570
Instruction Fuzzy Hash: 8A314776F006504FDB12BB7CA9447AE7FAAEB8A328F114965D945C7342E771C9028B90

Uniqueness

Uniqueness Score: -1.00%

Function 0132F280 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b9addfa7594edc1117d119fd485df7e8470d5598b6481e34d85b992338d0888
Instruction ID: 94b582657322f987a3ecf9ca04da3f41c32ea3a2bfdf0e57568b8e2b1212eb82
Opcode Fuzzy Hash: 4b9addfa7594edc1117d119fd485df7e8470d5598b6481e34d85b992338d0888
Instruction Fuzzy Hash: B0318F35E106199BCB19DFA9D494A9EBBB6FF89304F108519E806E7340EF70AC41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 013226E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7bf8b5a0defeade7dee55c9f979d7eb2e23770f7e54a9aa73f94a5d4ed1bbc3
Instruction ID: 2c9aba607729788828992a5e1cbd7a3da6d1b2a2c6de10a89dcc33c61bf5bee0
Opcode Fuzzy Hash: b7bf8b5a0defeade7dee55c9f979d7eb2e23770f7e54a9aa73f94a5d4ed1bbc3
Instruction Fuzzy Hash: E941C274D003589FDB14DFA9C884ADEBFB5FF48314F148029E419AB254DB759945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01329248 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e993133aa8de086071d91443e44219efcff1594239fd140a5e3f98fb438700
Instruction ID: f68f335d7d8603797ced6d7c69bd546a50ffb9f94721757434d82b9b313cee2b
Opcode Fuzzy Hash: 73e993133aa8de086071d91443e44219efcff1594239fd140a5e3f98fb438700
Instruction Fuzzy Hash: 6E318631E002299FDB15DFA8D55479EF7B2FF89304F10865AE805EB345DB709846CB50

Uniqueness

Uniqueness Score: -1.00%

Function 013216A3 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bfe23c3b4f6f1a66a9b8af396710435121938dc5cfea01405895a79cffda5eb
Instruction ID: 293b7d25656ae841f901fef24d6d4c0123a74b26b7acc9b91b65b94518f5cd94
Opcode Fuzzy Hash: 0bfe23c3b4f6f1a66a9b8af396710435121938dc5cfea01405895a79cffda5eb
Instruction Fuzzy Hash: AF21F7765101504FDF23F73CEA8476D3766EB86318F144965D006CB356EA64DC858FA1

Uniqueness

Uniqueness Score: -1.00%

Function 01321383 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a1e8853a2603acccb1431d2e252e8d45ce6c6df299d11de0dc3935d55477afb
Instruction ID: 6dbc4c369d48fcd2d4cfa016e35fefe18a3bfdbf119b6c8185c9c65bca96f569
Opcode Fuzzy Hash: 8a1e8853a2603acccb1431d2e252e8d45ce6c6df299d11de0dc3935d55477afb
Instruction Fuzzy Hash: F921D171A002118BEB33773CE68432D3776EB4731EF600869E54ADB792DA6488859B92

Uniqueness

Uniqueness Score: -1.00%

Function 01329258 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e94e1c89c32a2c456ed3fa1bece7a91f14cea41048b870eb3997b6f73d4b6fff
Instruction ID: 9f8c6f1d7fd41f35102d0afccb41628c138e0a581883ad8e34149aecd3a51493
Opcode Fuzzy Hash: e94e1c89c32a2c456ed3fa1bece7a91f14cea41048b870eb3997b6f73d4b6fff
Instruction Fuzzy Hash: 67219131E002299BDB15DFA9D48079EFBB2FF8A308F108619E905EB345DB719845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01326B87 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf6f6f00180277976899e3f5b1e60b91a39ab3932b2de99702ce889f8c7d400
Instruction ID: a672db13bbc03d48fd1e1ef131366b2848fb72933d4171e65e089be47f7201c2
Opcode Fuzzy Hash: 9bf6f6f00180277976899e3f5b1e60b91a39ab3932b2de99702ce889f8c7d400
Instruction Fuzzy Hash: F121F8317092908FC706EB7CA4613DE7FB2AF86204B1445EAD089CB357DE395846C781

Uniqueness

Uniqueness Score: -1.00%

Function 01321879 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff778eee8c9dd10399a8e3c71cb88a2fff193b973cedd78caf5fe17311f9681
Instruction ID: e438e7c49de1565742b8e6fefbbf0774fe15defe035ba86c22ed02249f5e7b6b
Opcode Fuzzy Hash: 4ff778eee8c9dd10399a8e3c71cb88a2fff193b973cedd78caf5fe17311f9681
Instruction Fuzzy Hash: B0216D71B00269CFDB65FB68C6597AE7BB2AF89309F10046CC502EB3A5DB358D41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F7D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2458556118.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f7d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc049174330589d39c93bbdfdeff2fb1f0be6517c5565450853e16e8dfa6179
Instruction ID: abad743fa9ec3ca2619f92940d9f2969989d8111eac503034adb5268a8d15b5b
Opcode Fuzzy Hash: 4fc049174330589d39c93bbdfdeff2fb1f0be6517c5565450853e16e8dfa6179
Instruction Fuzzy Hash: FE2100B2904204DFDB14DF10D980B26BBB1EF84324F64C56AD80E0A28AC37AD846DA63

Uniqueness

Uniqueness Score: -1.00%

Function 01329148 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a37f1b2b9197db0de0b54ed055052f552cc66a5710f6775194de240c29bc343
Instruction ID: 2b6d4a66d79350c8094b5b610cd13ebf171a8edbee82313b08b88883d12b209d
Opcode Fuzzy Hash: 2a37f1b2b9197db0de0b54ed055052f552cc66a5710f6775194de240c29bc343
Instruction Fuzzy Hash: 0B217435E002299BDB19DFA9C8546DEB7B2EF89318F20851AEC15F7341EB70E945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01324F88 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ceefa684952cde90bd38b011321f562ff692d849eb92884affb23a0d77e3f1f
Instruction ID: d0d0824a30184765f44977fb8c47057dc6c52ac9f29a9da95ab5cc33ab4b003b
Opcode Fuzzy Hash: 4ceefa684952cde90bd38b011321f562ff692d849eb92884affb23a0d77e3f1f
Instruction Fuzzy Hash: 18212635A00219CFDB54EB78DA58BAD7BF1AF89304B1044A8E406EB360DB359D05DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F7D005 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2458556118.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f7d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c359f2b499d994f60f90348f1b1d8565b387b2e9e6593c33e67b89aa9b7fcd85
Instruction ID: 1b40622b79a9c5a74ade4b7c799bc0a1e4515fc4a2429bee9876043b3690f24f
Opcode Fuzzy Hash: c359f2b499d994f60f90348f1b1d8565b387b2e9e6593c33e67b89aa9b7fcd85
Instruction Fuzzy Hash: CF215E7150D3C09FC703CB24D990711BF71AF46224F29C5EBD8898F2A7C23A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 01321488 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e4ff6ba4e03aa1d24da4abdd2f6b5b85b5a5f88e00222c5aebad6c79adeead5
Instruction ID: a79206c69ede3d2498bc51014d492d01164e9ba5e2a7f3f8ff2000e2f8c99a74
Opcode Fuzzy Hash: 6e4ff6ba4e03aa1d24da4abdd2f6b5b85b5a5f88e00222c5aebad6c79adeead5
Instruction Fuzzy Hash: 22217231E002659FDB26BFBC95542AE7BF5EF58219F240479D449E7301D735C8428B91

Uniqueness

Uniqueness Score: -1.00%

Function 01329A20 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a542b5308fef12108bce573d3c8b221fada64bcc68a8e26f747ab4088093db
Instruction ID: 847932eec1ad6bc47f2dc43d18611d63100b8f82e3b9f12007bfd51f1325618d
Opcode Fuzzy Hash: 31a542b5308fef12108bce573d3c8b221fada64bcc68a8e26f747ab4088093db
Instruction Fuzzy Hash: A721A431B002258FEB14EB69C854BAE7BF5FF88718F108065E505EB3A1DA71DC00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01329158 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70518f35e665e57da9a7a1e863e0e93f8d015cac0bcfdc62df36602e4bad11a3
Instruction ID: 640395a3f637b43e39adf0e861583c26ab0e6dfb3523397a953df0f3cfe2e640
Opcode Fuzzy Hash: 70518f35e665e57da9a7a1e863e0e93f8d015cac0bcfdc62df36602e4bad11a3
Instruction Fuzzy Hash: 37216534E002299BDB19DFA9C85469EF7B6EF89308F20851AEC15F7341EB70E845CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01321888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42355793ec4fed7c54e6b46e978067b4add75de2d334c048a213915265e6e44a
Instruction ID: 326bf64f781e842f235f82443f18738d68e3452f79f512b21bcf1fd8a269aa65
Opcode Fuzzy Hash: 42355793ec4fed7c54e6b46e978067b4add75de2d334c048a213915265e6e44a
Instruction Fuzzy Hash: 80210C31B00269CFDB54FF68C6547AE77F6AB49209F100468C506EB354DB759D41CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 013216B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 740ad94cca4c0c93b5cde820b3e300e21c74c41ba0aa72984ef727a5bc7ea420
Instruction ID: e44d8deaed712466fba1d0a7a49bd7db79b13986219b363a08e261ef07f8bad3
Opcode Fuzzy Hash: 740ad94cca4c0c93b5cde820b3e300e21c74c41ba0aa72984ef727a5bc7ea420
Instruction Fuzzy Hash: 062163756106104FEF23F72CEA8475A376AE78A318F504925D406C7356EB74DC858F91

Uniqueness

Uniqueness Score: -1.00%

Function 01324F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 301c9049c8496f862dd34a3081e7b87994a872493baf1477cfa066cb2452a29d
Instruction ID: 544e94740633d6ae1d2ca432c51ef0ed2aa49f96cc8cab337d7f71dfa97977b4
Opcode Fuzzy Hash: 301c9049c8496f862dd34a3081e7b87994a872493baf1477cfa066cb2452a29d
Instruction Fuzzy Hash: B221F831B00219CFDB54EB79D958BAD77F1AF89308B2044A8E506EB3A0DB75DD04DB91

Uniqueness

Uniqueness Score: -1.00%

Function 01320848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b6583e6e7f4e27b3beed95672fedbc01965386ffbccb01621f4f074a2747819
Instruction ID: 813fa10134013151e906bd0a918d866745691bbd91715aebca0b735943568b49
Opcode Fuzzy Hash: 2b6583e6e7f4e27b3beed95672fedbc01965386ffbccb01621f4f074a2747819
Instruction Fuzzy Hash: B5119835B002288BEF19BA7DD44476B3696EB86658F204839F157CF346DA61CC894BD1

Uniqueness

Uniqueness Score: -1.00%

Function 01320838 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc9b1be65c7562f13c28587c9a22430af9b624ce2d6a52b32bde604fe6098b5b
Instruction ID: 2dc443bb420a4c332ad1d2940aa88f79e6ada8690be24d3716727f8bd4ac39f6
Opcode Fuzzy Hash: cc9b1be65c7562f13c28587c9a22430af9b624ce2d6a52b32bde604fe6098b5b
Instruction Fuzzy Hash: 7711E731B043258BEF2A767CD91476B3B65DB8221CF10482AF056CF242DA65C8898BC1

Uniqueness

Uniqueness Score: -1.00%

Function 01321498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980a639e5b96c2bd9f0f3193098a49be988bd5ebdcbda0e21b27b0f50a613fe8
Instruction ID: 134a8b34656cfe09a8138788ad85ea748e868ae8a6a43f5c70b643989e53fccd
Opcode Fuzzy Hash: 980a639e5b96c2bd9f0f3193098a49be988bd5ebdcbda0e21b27b0f50a613fe8
Instruction Fuzzy Hash: 0F018031E002259FCF25FFBC85506AE7BF5EB58214B24047AD809E7301E735C9458BE1

Uniqueness

Uniqueness Score: -1.00%

Function 01329888 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b9a992695350dd39dbbf1bb3692a1920386395364c37c95eafcef86ca002ae
Instruction ID: bb77f72ca71d0b6eaa8a5eebff1ebf9dd21b400ca5631d909725c14d25428212
Opcode Fuzzy Hash: d1b9a992695350dd39dbbf1bb3692a1920386395364c37c95eafcef86ca002ae
Instruction Fuzzy Hash: CA01D830A102048BDB10EF59D94578ABB65FF85314F64C174DC4C5F296EBB0ED45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0132099B Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e13d8300e70da87339d61f8ea684ddf992c454547964e6cd6b527ad7e5332f
Instruction ID: 8d347641d84ac3ce449744c3b0ed2460b4eac71be15776830e04a0877617e26b
Opcode Fuzzy Hash: f0e13d8300e70da87339d61f8ea684ddf992c454547964e6cd6b527ad7e5332f
Instruction Fuzzy Hash: 9DF02B3274C3A449EB2A367C54642697E419FC2278B451AADD2B5DB1B3D014855CD3D1

Uniqueness

Uniqueness Score: -1.00%

Function 013280E8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e22b40ca8e4672d1bb30cc9cb296d3c912e1420b7a6c988372e6b83d206aa766
Instruction ID: 3baec6fd5e7c71ef696cadcc9ddd2d57fd6d1eec17b6529250f839fabe31b986
Opcode Fuzzy Hash: e22b40ca8e4672d1bb30cc9cb296d3c912e1420b7a6c988372e6b83d206aa766
Instruction Fuzzy Hash: 7401A271910208AFDF11FBB8FA8169D7FB2EF46300F508279C4419B245DE311E49DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01327088 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f5c282934c9e003464267da93a3a60ee83806c7dfc123bd2a1298eb7cbbd18
Instruction ID: c95b4f69c79228f9837f101f468d257f77a0fa89eebf6ed5f6cc87016c752409
Opcode Fuzzy Hash: a9f5c282934c9e003464267da93a3a60ee83806c7dfc123bd2a1298eb7cbbd18
Instruction Fuzzy Hash: 0BF01439B401088FC714EB68D598BAD77B2FF88351F6044A8E5069B3A0DF34AD42CB40

Uniqueness

Uniqueness Score: -1.00%

Function 013280F8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2459448466.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1320000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abbd3797892453053ca9ddff9f7e2ffc07ffc642c050b2178d8e05b3da77045d
Instruction ID: a0767c38f6804a924a9faec7b93ea9a831483abcc699bd19270126c0609b5482
Opcode Fuzzy Hash: abbd3797892453053ca9ddff9f7e2ffc07ffc642c050b2178d8e05b3da77045d
Instruction Fuzzy Hash: 80F0AF70910208AFCB00FFB8FA8169C7BB6EF85300F608268C4059B245EE712E48DBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report eiQXaKJ75nCjEWn.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Networking

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eiQXaKJ75nCjEWn.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
eiQXaKJ75nCjEWn.exe

Function 05FDA61C Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Function 05FDA628 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 02D7AE48 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Function 02D74508 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 02D7592D Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Function 05FDA398 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Function 05FDA3A0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 02D7D07C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 05FDA488 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 05FD9DC9 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Function 02D7D720 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 05FDA490 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 05FD9DD0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 02D7A228 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 05FDA2D8 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre