Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5DDE00 CryptGenRandom,__CxxThrowException@8, |
0_2_6E5DDE00 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5DDEE0 CryptReleaseContext, |
0_2_6E5DDEE0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5DDD20 CryptReleaseContext, |
0_2_6E5DDD20 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5DDBB0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8, |
0_2_6E5DDBB0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5DD9D0 CryptAcquireContextA,GetLastError, |
0_2_6E5DD9D0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5DD7D4 CryptReleaseContext, |
0_2_6E5DD7D4 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5DD7F0 CryptReleaseContext, |
0_2_6E5DD7F0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E6035E0 CryptReleaseContext, |
0_2_6E6035E0 |
Source: |
Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: file.exe, 00000000.00000002.2058316472.00000000048DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2058316472.0000000004206000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2071404797.000000006E604000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2069084336.00000000058C0000.00000004.08000000.00040000.00000000.sdmp, Protect544cd51a.dll.0.dr |
Source: |
Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.2076317813.0000000003F11000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: file.exe, 00000000.00000002.2058316472.0000000004998000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2058316472.000000000480D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2069084336.000000000597A000.00000004.08000000.00040000.00000000.sdmp |
Source: C:\Users\user\Desktop\file.exe |
Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h |
0_2_0145BC30 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h |
0_2_0145A855 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h |
0_2_0145BD40 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h |
0_2_0145BD39 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h |
0_2_01454DE8 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h |
0_2_0145BC28 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h |
0_2_0145BF5A |
Source: C:\Users\user\Desktop\file.exe |
Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h |
0_2_0145BF60 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h |
0_2_0145BE4E |
Source: C:\Users\user\Desktop\file.exe |
Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h |
0_2_0145BE50 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 4x nop then jmp 06143EE2h |
0_2_06143E30 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 4x nop then jmp 06143EE2h |
0_2_06143E29 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h |
0_2_061442F1 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h |
0_2_061442F8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 173.222.162.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 173.222.162.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 173.222.162.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 173.222.162.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 173.222.162.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 173.222.162.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 173.222.162.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 172.64.149.23 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 172.64.149.23 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 172.64.149.23 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 172.64.149.23 |
Source: MSBuild.exe, 00000002.00000002.2070167027.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube) |
Source: MSBuild.exe, 00000002.00000002.2070167027.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube) |
Source: MSBuild.exe, 00000002.00000002.2070167027.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`, equals www.youtube.com (Youtube) |
Source: MSBuild.exe, 00000002.00000002.2070167027.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube) |
Source: MSBuild.exe, 00000002.00000002.2070167027.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube) |
Source: file.exe |
String found in binary or memory: http://axschema.org/3http://schema.openid.net/3http://openid.net/schema/ |
Source: file.exe |
String found in binary or memory: http://axschema.org/company/nameBhttp://axschema.org/company/title:http://axschema.org/birthDateNhtt |
Source: file.exe |
String found in binary or memory: http://axschema.org/contact/postalAddress/homephttp://axschema.org/contact/postalAddressAdditional/h |
Source: file.exe |
String found in binary or memory: http://axschema.org/contact/postalCode/businessDhttp://axschema.org/contact/IM/AIMDhttp://axschema.o |
Source: file.exe |
String found in binary or memory: http://axschema.org/namePersonJhttp://axschema.org/namePerson/prefixHhttp://axschema.org/namePerson/ |
Source: file.exe |
String found in binary or memory: http://axschema.org/person/genderFhttp://axschema.org/media/biographyBhttp://axschema.org/pref/langu |
Source: file.exe |
String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t |
Source: file.exe |
String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0# |
Source: file.exe |
String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf |
Source: file.exe |
String found in binary or memory: http://namespace.google.com/openid/xmlns |
Source: file.exe |
String found in binary or memory: http://ocsp.sectigo.com0 |
Source: file.exe |
String found in binary or memory: http://openid.net/extensions/sreg/1.1 |
Source: file.exe |
String found in binary or memory: http://openid.net/signon/1.1 |
Source: file.exe |
String found in binary or memory: http://openid.net/sreg/1.05http://openid.net/sreg/1.1 |
Source: file.exe |
String found in binary or memory: http://openid.net/srv/ax/1.0 |
Source: file.exe |
String found in binary or memory: http://openid.net/xmlns/1.09http://openid.net/signon/1.0 |
Source: file.exe |
String found in binary or memory: http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical |
Source: file.exe |
String found in binary or memory: http://schemas.openid.net/pape/policies/2007/06/none |
Source: file.exe |
String found in binary or memory: http://schemas.openid.net/pape/policies/2007/06/phishing-resistantxhttp://schemas.openid.net/pape/po |
Source: file.exe |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier |
Source: file.exe |
String found in binary or memory: http://specs.openid.net/auth/2.0 |
Source: file.exe |
String found in binary or memory: http://specs.openid.net/auth/2.0/signonOhttp://specs.openid.net/auth/2.0/serverehttp://specs.openid. |
Source: file.exe |
String found in binary or memory: http://specs.openid.net/extensions/oauth/1.0 |
Source: file.exe |
String found in binary or memory: http://specs.openid.net/extensions/pape/1.0 |
Source: file.exe |
String found in binary or memory: http://specs.openid.net/extensions/ui/1.0/icon |
Source: file.exe |
String found in binary or memory: http://specs.openid.net/extensions/ui/1.0ghttp://specs.openid.net/extensions/ui/1.0/lang-prefihttp:/ |
Source: file.exe |
String found in binary or memory: http://specs.openid.net/extensions/ui/icon |
Source: file.exe |
String found in binary or memory: http://www.idmanagement.gov/schema/2009/05/icam/no-pii.pdf |
Source: file.exe |
String found in binary or memory: http://www.idmanagement.gov/schema/2009/05/icam/openid-trust-level1.pdfthttp://www.idmanagement.gov/ |
Source: MSBuild.exe, 00000002.00000002.2070167027.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.ip.s |
Source: MSBuild.exe, 00000002.00000002.2070167027.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.ip.sb/ip |
Source: MSBuild.exe, 00000002.00000002.2070167027.000000000301A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://discord.com/api/v9/users/ |
Source: file.exe |
String found in binary or memory: https://sectigo.com/CPS0 |
Source: file.exe, type: SAMPLE |
Matched rule: Detects executables packed with unregistered version of .NET Reactor Author: ditekSHen |
Source: 0.2.file.exe.437fff0.8.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects zgRAT Author: ditekSHen |
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects zgRAT Author: ditekSHen |
Source: 0.2.file.exe.437fff0.8.unpack, type: UNPACKEDPE |
Matched rule: Detects zgRAT Author: ditekSHen |
Source: 0.0.file.exe.720000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables packed with unregistered version of .NET Reactor Author: ditekSHen |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5AB6B0 |
0_2_6E5AB6B0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5D4EE0 |
0_2_6E5D4EE0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5FAC29 |
0_2_6E5FAC29 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5A2D70 |
0_2_6E5A2D70 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5C4AC0 |
0_2_6E5C4AC0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E588B30 |
0_2_6E588B30 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5F0B89 |
0_2_6E5F0B89 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5C4970 |
0_2_6E5C4970 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E586650 |
0_2_6E586650 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E58A7E0 |
0_2_6E58A7E0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E58C7B0 |
0_2_6E58C7B0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5C4550 |
0_2_6E5C4550 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5FA54D |
0_2_6E5FA54D |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5E2310 |
0_2_6E5E2310 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5D63B0 |
0_2_6E5D63B0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E59A0C0 |
0_2_6E59A0C0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5C3E50 |
0_2_6E5C3E50 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5D5EB9 |
0_2_6E5D5EB9 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5F9FFC |
0_2_6E5F9FFC |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5FBFF1 |
0_2_6E5FBFF1 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5C3C90 |
0_2_6E5C3C90 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5E1CA0 |
0_2_6E5E1CA0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5F5DD2 |
0_2_6E5F5DD2 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5D5DD0 |
0_2_6E5D5DD0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5F9AAB |
0_2_6E5F9AAB |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5D5830 |
0_2_6E5D5830 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5D58D5 |
0_2_6E5D58D5 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5D58D7 |
0_2_6E5D58D7 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5FB964 |
0_2_6E5FB964 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5C3460 |
0_2_6E5C3460 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5D5274 |
0_2_6E5D5274 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5C3260 |
0_2_6E5C3260 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_6E5D5050 |
0_2_6E5D5050 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_014514AD |
0_2_014514AD |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_014526D8 |
0_2_014526D8 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_01453F88 |
0_2_01453F88 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_01456EDE |
0_2_01456EDE |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_06120EB3 |
0_2_06120EB3 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_061226F8 |
0_2_061226F8 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_061226DE |
0_2_061226DE |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_06120930 |
0_2_06120930 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Code function: 2_2_0149E3E8 |
2_2_0149E3E8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Code function: 2_2_0149E3D8 |
2_2_0149E3D8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Code function: 2_2_01490869 |
2_2_01490869 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Code function: 2_2_01490878 |
2_2_01490878 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Code function: 2_2_01494DC0 |
2_2_01494DC0 |
Source: file.exe, 00000000.00000002.2057078122.0000000003141000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameProtect.dll8 vs file.exe |
Source: file.exe, 00000000.00000002.2054318909.000000000122E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameclr.dllT vs file.exe |
Source: file.exe, 00000000.00000002.2069084336.0000000005A48000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs file.exe |
Source: file.exe, 00000000.00000002.2058316472.00000000048DB000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs file.exe |
Source: file.exe, 00000000.00000002.2058316472.0000000004364000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameFleeceless.exe" vs file.exe |
Source: file.exe, 00000000.00000002.2070334872.0000000005E21000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameProtect.dll8 vs file.exe |
Source: file.exe, 00000000.00000002.2058316472.0000000004A67000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs file.exe |
Source: file.exe, 00000000.00000002.2068902961.0000000005790000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameProtect.dll8 vs file.exe |
Source: file.exe, 00000000.00000000.2048770149.0000000000722000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenamesoftwarebasecompact_vim3.exeR vs file.exe |
Source: file.exe |
Binary or memory string: OriginalFilenamesoftwarebasecompact_vim3.exeR vs file.exe |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: dwrite.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: msisip.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: wshext.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: appxsip.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: opcservices.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: esdsip.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: dpapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: scrrun.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: linkinfo.dll |
Jump to behavior |
Source: file.exe, type: SAMPLE |
Matched rule: INDICATOR_EXE_Packed_DotNetReactor author = ditekSHen, description = Detects executables packed with unregistered version of .NET Reactor |
Source: 0.2.file.exe.437fff0.8.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT |
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT |
Source: 0.2.file.exe.437fff0.8.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT |
Source: 0.0.file.exe.720000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_EXE_Packed_DotNetReactor author = ditekSHen, description = Detects executables packed with unregistered version of .NET Reactor |
Source: MSBuild.exe, 00000002.00000002.2076317813.0000000003F11000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln |
Source: MSBuild.exe, 00000002.00000002.2076317813.0000000003F11000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release |
Source: MSBuild.exe, 00000002.00000002.2076317813.0000000003F11000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb |
Source: MSBuild.exe, 00000002.00000002.2076317813.0000000003F11000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: *.sln |
Source: MSBuild.exe, 00000002.00000002.2076317813.0000000003F11000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: MSBuild MyApp.csproj /t:Clean |
Source: MSBuild.exe, 00000002.00000002.2076317813.0000000003F11000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: /ignoreprojectextensions:.sln |
Source: MSBuild.exe, 00000002.00000002.2076317813.0000000003F11000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that. |
Source: |
Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: file.exe, 00000000.00000002.2058316472.00000000048DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2058316472.0000000004206000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2071404797.000000006E604000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2069084336.00000000058C0000.00000004.08000000.00040000.00000000.sdmp, Protect544cd51a.dll.0.dr |
Source: |
Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.2076317813.0000000003F11000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: file.exe, 00000000.00000002.2058316472.0000000004998000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2058316472.000000000480D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2069084336.000000000597A000.00000004.08000000.00040000.00000000.sdmp |
Source: 0.2.file.exe.437fff0.8.raw.unpack, SAsWjw6ryKORpjDdOpK.cs |
High entropy of concatenated method names: 'XLjuK5Adot', 'g38PJ8K3c0', 'aN4uX9Cl5d', 'W2KukoYeLh', 'f1suajXB2G', 'Xx3u3cg4ry', 'oU0jeoJvNN', 'lNP6qCDE0A', 'nkL6SGIYut', 'ktO6z4YpfB' |
Source: 0.2.file.exe.437fff0.8.raw.unpack, cYliXic5yo5UO8ufBcv.cs |
High entropy of concatenated method names: 'rR2cnEDbFD', 'kaVcPhfgb9', 'KOVcwUqTwR', 'CvmcI5MkWW', 'Hqtc2WLIKT', 'qtSc6ahkfQ', 'mQycLouwYB', 'GHtcu5y2P1', 'qQmcY5J4MP', 'NLAc1UV8gA' |
Source: 0.2.file.exe.437fff0.8.raw.unpack, oT7fsFY1oP1lxDsrwQO.cs |
High entropy of concatenated method names: 'nquGaA3nxn', 'SoHG3kPJQs', 'sflGDSqbiB', 'U1iG9IMcmK', 'VGxGilwucp', 'ym6GRqZK41', 'HIUG0QD0VE', 'Ah4Y3nF77w', 's0SG4DMO4o', 'M8RGsqVdt9' |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: MSBuild.exe, 00000002.00000002.2070167027.000000000301A000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: \qemu-ga.exe |
Source: MSBuild.exe, 00000002.00000002.2070167027.000000000301A000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: \qemu-ga.exe`, |
Source: MSBuild.exe, 00000002.00000002.2070167027.000000000301A000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: \qemu-ga.exe@\ |
Source: MSBuild.exe, 00000002.00000002.2066425183.0000000000402000.00000040.00000400.00020000.00000000.sdmp |
Binary or memory string: CvmcI5MkWW |
Source: C:\Users\user\Desktop\file.exe |
Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation |
Jump to behavior |