Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1431662
MD5: acfc823a15fbc0247f1974b9a7dc7cf8
SHA1: 3289cb74a353915117e7b1649acbff7449068018
SHA256: 2b8795c54cc826e2f7c62a5c15088a1d9aa9ff31373abf710caacf4d0a5f1b81
Tags: exe
Infos:

Detection

PureLog Stealer, RedLine, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
Enables debug privileges
Enables security privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
Name Description Attribution Blogpost URLs Link
zgRAT zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 18%
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF4DD20 CryptReleaseContext, 0_2_6CF4DD20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF4DEE0 CryptReleaseContext, 0_2_6CF4DEE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF4DE00 CryptGenRandom,__CxxThrowException@8, 0_2_6CF4DE00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF4D9D0 CryptAcquireContextA,GetLastError, 0_2_6CF4D9D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF4DBB0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8, 0_2_6CF4DBB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF735E0 CryptReleaseContext, 0_2_6CF735E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF4D7F0 CryptReleaseContext, 0_2_6CF4D7F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF4D7D3 CryptReleaseContext, 0_2_6CF4D7D3
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: file.exe, 00000000.00000002.1660634540.00000000054E0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1664036740.000000006CF74000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.1649795317.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1649795317.00000000042C2000.00000004.00000800.00020000.00000000.sdmp, Protect544cd51a.dll.0.dr
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.1675298581.0000000004201000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: c:\Users\kkelsch\Documents\PushNotifications\PushSharp\PushSharp-master\PushSharp.Android\obj\Debug\PushSharp.Android.pdb source: file.exe
Source: Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: file.exe, 00000000.00000002.1649795317.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1649795317.000000000437F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1660634540.000000000559A000.00000004.08000000.00040000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h 0_2_05296B20
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h 0_2_05296D38
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h 0_2_05296D40
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 0529D24Ah 0_2_0529D198
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 0529D24Ah 0_2_0529D190
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h 0_2_05296C28
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h 0_2_05296C30
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_0529573C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h 0_2_05296B19
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_05295748
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_0529D660
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h 0_2_05296E48
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_0529D658
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h 0_2_05296E50

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: file.exe, type: SAMPLE
Source: Yara match File source: 0.0.file.exe.74799f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.3f0000.0.unpack, type: UNPACKEDPE
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: MSBuild.exe, 00000001.00000002.1668686227.000000000328E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: $^q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\^q equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000001.00000002.1668686227.000000000328E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000001.00000002.1668686227.000000000328E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\^q equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000001.00000002.1668686227.000000000328E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`,^q equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000001.00000002.1668686227.000000000328E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `,^q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: file.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: file.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: file.exe String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: MSBuild.exe, 00000001.00000002.1677988340.00000000073D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: MSBuild.exe, 00000001.00000002.1677988340.00000000073D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: file.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: MSBuild.exe, 00000001.00000002.1677988340.00000000073D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: MSBuild.exe, 00000001.00000002.1677988340.00000000073D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: MSBuild.exe, 00000001.00000002.1677988340.00000000073D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: MSBuild.exe, 00000001.00000002.1677988340.00000000073D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: MSBuild.exe, 00000001.00000002.1677988340.00000000073D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: MSBuild.exe, 00000001.00000002.1677988340.00000000073D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: MSBuild.exe, 00000001.00000002.1677988340.00000000073D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: MSBuild.exe, 00000001.00000002.1677988340.00000000073D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: MSBuild.exe, 00000001.00000002.1677988340.00000000073D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: MSBuild.exe, 00000001.00000002.1677988340.00000000073D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: MSBuild.exe, 00000001.00000002.1677988340.00000000073D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: MSBuild.exe, 00000001.00000002.1677988340.00000000073D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: MSBuild.exe, 00000001.00000002.1677988340.00000000073D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: MSBuild.exe, 00000001.00000002.1677988340.00000000073D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: MSBuild.exe, 00000001.00000002.1677988340.00000000073D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: MSBuild.exe, 00000001.00000002.1677988340.00000000073D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: MSBuild.exe, 00000001.00000002.1677988340.00000000073D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: MSBuild.exe, 00000001.00000002.1677988340.00000000073D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: MSBuild.exe, 00000001.00000002.1677988340.00000000073D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: MSBuild.exe, 00000001.00000002.1677988340.00000000073D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: MSBuild.exe, 00000001.00000002.1677988340.00000000073D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: MSBuild.exe, 00000001.00000002.1677988340.00000000073D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: MSBuild.exe, 00000001.00000002.1677988340.00000000073D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: file.exe String found in binary or memory: https://android.apis.google.com/c2dm/send
Source: file.exe String found in binary or memory: https://android.googleapis.com/gcm/send
Source: file.exe String found in binary or memory: https://android.googleapis.com/gcm/sendAchannelSettings
Source: MSBuild.exe, 00000001.00000002.1668686227.000000000325E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.s
Source: MSBuild.exe, 00000001.00000002.1668686227.000000000325E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: MSBuild.exe, 00000001.00000002.1668686227.000000000330A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/users/
Source: file.exe String found in binary or memory: https://sectigo.com/CPS0
Source: file.exe String found in binary or memory: https://www.google.com/accounts/ClientLogin
Source: file.exe String found in binary or memory: https://www.security.us.panasonic.com
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Installs a raw input device (often for capturing keystrokes)
Source: MSBuild.exe, 00000001.00000002.1668686227.000000000340E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_42a65c41-0
Drops certificate files (DER)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Temp\TmpDA41.tmp Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Temp\TmpDA31.tmp Jump to dropped file

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: file.exe, type: SAMPLE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.file.exe.3d67e10.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.file.exe.3d67e10.1.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.0.file.exe.3f0000.0.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
.NET source code contains very large array initializations
Source: 0.2.file.exe.3d67e10.1.raw.unpack, Strings.cs Large array initialization: Strings: array initializer size 6160
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF1B6B0 0_2_6CF1B6B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF6AC29 0_2_6CF6AC29
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF12D70 0_2_6CF12D70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF44EE0 0_2_6CF44EE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF34970 0_2_6CF34970
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF34AC0 0_2_6CF34AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF60B89 0_2_6CF60B89
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CEF8B30 0_2_6CEF8B30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF34550 0_2_6CF34550
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF6A54D 0_2_6CF6A54D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CEF6650 0_2_6CEF6650
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CEFA7E0 0_2_6CEFA7E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CEFC7B0 0_2_6CEFC7B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF0A0C0 0_2_6CF0A0C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF463B0 0_2_6CF463B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF52310 0_2_6CF52310
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF51CA0 0_2_6CF51CA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF33C90 0_2_6CF33C90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF65DD2 0_2_6CF65DD2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF45DD0 0_2_6CF45DD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF45EB9 0_2_6CF45EB9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF33E50 0_2_6CF33E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF6BFF1 0_2_6CF6BFF1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF69FFC 0_2_6CF69FFC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF458D5 0_2_6CF458D5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF458D7 0_2_6CF458D7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF45830 0_2_6CF45830
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF6B964 0_2_6CF6B964
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF69AAB 0_2_6CF69AAB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF33460 0_2_6CF33460
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF45050 0_2_6CF45050
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF45274 0_2_6CF45274
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF33260 0_2_6CF33260
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029C82C8 0_2_029C82C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029CCAF8 0_2_029CCAF8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029CA750 0_2_029CA750
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029C9560 0_2_029C9560
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029C1318 0_2_029C1318
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029C1328 0_2_029C1328
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029CC9B8 0_2_029CC9B8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029C1788 0_2_029C1788
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_052920F5 0_2_052920F5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05292DC0 0_2_05292DC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05CA26F8 0_2_05CA26F8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05CA0EB3 0_2_05CA0EB3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05CA0930 0_2_05CA0930
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05CA26F6 0_2_05CA26F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0176E3E8 1_2_0176E3E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_0176E3D8 1_2_0176E3D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_01760878 1_2_01760878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_01760868 1_2_01760868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_01764DD0 1_2_01764DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_01764DC0 1_2_01764DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_07D8A978 1_2_07D8A978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_07D8D288 1_2_07D8D288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_07D8DA18 1_2_07D8DA18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_07D8DA08 1_2_07D8DA08
Enables security privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Security Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CF590D8 appears 51 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CF5D520 appears 31 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CF59B35 appears 141 times
PE / OLE file has an invalid certificate
Source: file.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.1649795317.0000000003D4A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRenowning.exe" vs file.exe
Source: file.exe, 00000000.00000002.1649795317.000000000444D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs file.exe
Source: file.exe, 00000000.00000002.1662964336.00000000058F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameProtect.dll8 vs file.exe
Source: file.exe, 00000000.00000002.1647303689.0000000000C2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000002.1660634540.0000000005668000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs file.exe
Source: file.exe, 00000000.00000000.1641315409.0000000000792000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamebdzshell.dll4 vs file.exe
Source: file.exe, 00000000.00000000.1640845575.00000000003F2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamePushSharp.Android.dllD vs file.exe
Source: file.exe, 00000000.00000000.1640845575.00000000003F2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameLandingPage.resources.dllJ vs file.exe
Source: file.exe, 00000000.00000002.1660401430.0000000005280000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameProtect.dll8 vs file.exe
Source: file.exe, 00000000.00000002.1649795317.00000000042C2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs file.exe
Source: file.exe, 00000000.00000002.1648600967.0000000002B31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameProtect.dll8 vs file.exe
Source: file.exe Binary or memory string: OriginalFilenamePushSharp.Android.dllD vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameLandingPage.resources.dllJ vs file.exe
Source: file.exe Binary or memory string: OriginalFilenamebdzshell.dll4 vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: file.exe, type: SAMPLE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.file.exe.3d67e10.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.file.exe.3d67e10.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.0.file.exe.3f0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: file.exe, InflaterInputBuffer.cs Cryptographic APIs: 'TransformBlock'
Source: file.exe, DeflaterOutputStream.cs Cryptographic APIs: 'TransformBlock'
Source: file.exe, ZipInputStream.cs Cryptographic APIs: 'CreateDecryptor'
Source: file.exe, ZipFile.cs Cryptographic APIs: 'CreateDecryptor'
Source: file.exe, mEqmoE9UxRmX9ogcto.cs Cryptographic APIs: 'CreateDecryptor'
Source: file.exe, mEqmoE9UxRmX9ogcto.cs Cryptographic APIs: 'CreateDecryptor'
Source: file.exe, mEqmoE9UxRmX9ogcto.cs Cryptographic APIs: 'CreateDecryptor'
Source: file.exe, Module1.cs Cryptographic APIs: 'TransformFinalBlock'
Source: file.exe, ZipAESTransform.cs Cryptographic APIs: 'TransformBlock'
Source: 0.2.file.exe.3d67e10.1.raw.unpack, Strings.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.3d67e10.1.raw.unpack, mLrwBjaNEgFvrhaGTgv.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.3d67e10.1.raw.unpack, Strings.cs Base64 encoded string: 'GSk+Lyw0PSESIjU7AQ8FJDM7DA46MyEwJT0lBCEOAVU0QBUHLwJBVDAmGyERJAc5MSsRHTFAJhkuH1Nc'
Source: file.exe, FluentNotification.cs Suspicious method names: .FluentNotification.WithPayload
Source: file.exe, AppleNotificationPayload.cs Suspicious method names: .AppleNotificationPayload.mxs2He487yLyPej7FuR
Source: file.exe, AppleNotificationPayload.cs Suspicious method names: .AppleNotificationPayload.gib6j7BP3UrwQuuuIsl
Source: file.exe, AppleNotificationPayload.cs Suspicious method names: .AppleNotificationPayload.Kvp6hZBo0rZQ1tW7KhC
Source: file.exe, AppleNotificationPayload.cs Suspicious method names: .AppleNotificationPayload.IeVRHc4OPjF13bbj2Xv
Source: file.exe, AppleNotificationPayload.cs Suspicious method names: .AppleNotificationPayload.fkJ38lB4aH3JhZtBOvZ
Source: file.exe, AppleNotificationPayload.cs Suspicious method names: .AppleNotificationPayload.AddCustom
Source: file.exe, AppleNotificationPayload.cs Suspicious method names: .AppleNotificationPayload.QWEbdI4RQcuPofrYS7t
Source: file.exe, AppleNotificationPayload.cs Suspicious method names: .AppleNotificationPayload.fGLMQQ4js68jWLKMC1V
Source: file.exe, AppleNotificationPayload.cs Suspicious method names: .AppleNotificationPayload.QVydVeBmHlAoyn4U3px
Source: file.exe, AppleNotificationPayload.cs Suspicious method names: .AppleNotificationPayload.ToJson
Source: file.exe, AppleNotificationPayload.cs Suspicious method names: .AppleNotificationPayload.v7iwUlBneUhYfG8cNQX
Source: file.exe, AppleNotificationPayload.cs Suspicious method names: .AppleNotificationPayload.tpX6CN4lF5C7NOImMS8
Source: file.exe, AppleNotificationPayload.cs Suspicious method names: .AppleNotificationPayload.JyDU104XQRjbGF4bL63
Source: file.exe, AppleNotificationPayload.cs Suspicious method names: .AppleNotificationPayload.avwpxq4vqSrK52US2Ce
Source: file.exe, AppleNotificationPayload.cs Suspicious method names: .AppleNotificationPayload.b0WGLgBZOtIrZjVSJME
Source: file.exe, AppleNotificationPayload.cs Suspicious method names: .AppleNotificationPayload.ToString
Source: file.exe, AppleNotificationPayload.cs Suspicious method names: .AppleNotificationPayload.mxmwdH45VxOgV07CB2e
Source: file.exe, AppleNotificationPayload.cs Suspicious method names: .AppleNotificationPayload.eQbAMeBB9E3OMkWRBej
Source: file.exe, AppleNotificationPayload.cs Suspicious method names: .AppleNotificationPayload.A91vtk43r1fcYy1DMjS
Source: file.exe, AppleNotificationPayload.cs Suspicious method names: .AppleNotificationPayload.LeLI094xyLbUHVLFjbm
Source: file.exe, AppleNotificationPayload.cs Suspicious method names: .AppleNotificationPayload.RyQDRb4zwju0AUDiQow
Source: MSBuild.exe, 00000001.00000002.1675298581.0000000004201000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: MSBuild.exe, 00000001.00000002.1675298581.0000000004201000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: MSBuild.exe, 00000001.00000002.1675298581.0000000004201000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: MSBuild.exe, 00000001.00000002.1675298581.0000000004201000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: *.sln
Source: MSBuild.exe, 00000001.00000002.1675298581.0000000004201000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: MSBuild.exe, 00000001.00000002.1675298581.0000000004201000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: /ignoreprojectextensions:.sln
Source: MSBuild.exe, 00000001.00000002.1675298581.0000000004201000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/7@0/0
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
Source: C:\Users\user\Desktop\file.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\Protect544cd51a.dll
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File read: C:\Program Files (x86)\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 18%
Source: file.exe String found in binary or memory: </InstallProperties>
Source: file.exe String found in binary or memory: <UpgradeCode Cpu="x86" Code="{B0A6978E-0C6D-4442-ADD0-8A658489D3B1}"/>
Source: file.exe String found in binary or memory: </Install>
Source: file.exe String found in binary or memory: </Install>
Source: file.exe String found in binary or memory: </Install>
Source: file.exe String found in binary or memory: <AdditionalArguments>/RULES=SCCCheckRules</AdditionalArguments>
Source: file.exe String found in binary or memory: <AdditionalArguments>/FEATURES=SQL_SHARED_MR /UIMODE=AutoAdvance</AdditionalArguments>
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: esdsip.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: file.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: file.exe Static file information: File size 3948984 > 1048576
Source: file.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x39e600
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: file.exe, 00000000.00000002.1660634540.00000000054E0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1664036740.000000006CF74000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.1649795317.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1649795317.00000000042C2000.00000004.00000800.00020000.00000000.sdmp, Protect544cd51a.dll.0.dr
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.1675298581.0000000004201000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: c:\Users\kkelsch\Documents\PushNotifications\PushSharp\PushSharp-master\PushSharp.Android\obj\Debug\PushSharp.Android.pdb source: file.exe
Source: Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: file.exe, 00000000.00000002.1649795317.00000000041F4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1649795317.000000000437F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1660634540.000000000559A000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: file.exe, mEqmoE9UxRmX9ogcto.cs .Net Code: Type.GetTypeFromHandle(CfGIXtTdcZLAtxDM4Z.QKAJonITanbDi(16777452)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(CfGIXtTdcZLAtxDM4Z.QKAJonITanbDi(16777318)),Type.GetTypeFromHandle(CfGIXtTdcZLAtxDM4Z.QKAJonITanbDi(16777254))})
Source: 0.2.file.exe.3d67e10.1.raw.unpack, mLrwBjaNEgFvrhaGTgv.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: file.exe, hrwN54ssk66JhR0d65a.cs .Net Code: tsFkXCLB65 System.Reflection.Assembly.Load(byte[])
Source: 0.2.file.exe.3d67e10.1.raw.unpack, G8WxH38hhBnr1IE68vI.cs .Net Code: lrPIYdBHH0
Source: 0.2.file.exe.3d67e10.1.raw.unpack, G8WxH38hhBnr1IE68vI.cs .Net Code: kKcFHrrDYN
Binary contains a suspicious time stamp
Source: file.exe Static PE information: 0xBF7851EB [Sat Oct 17 18:52:27 2071 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF0B6C0 GetModuleHandleW,GetModuleHandleW,LoadLibraryW,GetProcAddress,__cftoe,GetModuleHandleW,GetProcAddress, 0_2_6CF0B6C0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF5CC2B push ecx; ret 0_2_6CF5CC3E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF5D565 push ecx; ret 0_2_6CF5D578
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029C4DBC push es; retf 0_2_029C4DC3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05293E80 pushad ; ret 0_2_05293E81
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05CA1EFC push ds; retf 0005h 0_2_05CA1F06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_057C17A8 push A8057895h; ret 1_2_057C17AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_07D8A57F push dword ptr [esp+ecx*2-75h]; ret 1_2_07D8A583
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_07D8C444 push esi; retf 1_2_07D8C447
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_07D8B3DB push FFFFFF8Bh; retf 1_2_07D8B3DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_07D8B33E push FFFFFF8Bh; retf 1_2_07D8B349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 1_2_07D8A1D7 push FFFFFF8Bh; iretd 1_2_07D8A1E8
Source: file.exe, AppleNotificationPayload.cs High entropy of concatenated method names: 'AddCustom', 'ToJson', 'ToString', 'A91vtk43r1fcYy1DMjS', 'JyDU104XQRjbGF4bL63', 'fGLMQQ4js68jWLKMC1V', 'LeLI094xyLbUHVLFjbm', 'mxs2He487yLyPej7FuR', 'QWEbdI4RQcuPofrYS7t', 'mxmwdH45VxOgV07CB2e'
Source: file.exe, AppleNotification.cs High entropy of concatenated method names: 'GetNextIdentifier', 'IsValidDeviceRegistrationId', 'ToString', 'ToBytes', 'BuildBufferFrom', 'JNVAK94EsfPTyuvbbUA', 'Vk5Zqf4dPZPA1otJEq9', 'GklYOJ4TZqlAUof1cRu', 'WeLw6b4fwnOono5BBMf', 'pHeIpB4eJ6iOmtHd4A3'
Source: file.exe, ApplePushService.cs High entropy of concatenated method names: '_003C_002Ector_003Eb__1', 'zgEBFXPh6MpvacbiYZM', 'cXyil6Pw0O4KKR8THOv', 'e5UNlpPMU5NqZDZa7es', 'jMMkvJPGfD3lLF3W3gI', 'feedbackService_OnFeedbackReceived', 'lKbdTmBLdUffuNe7R5I', 'Np10dHBivAnHZcfs2Q7', 'MdMkR8BNJC2qhq1MHxs', 'rvk84MBQaojhGXXMYF4'
Source: file.exe, FeedbackService.cs High entropy of concatenated method names: '_003CRun_003Eb__1', 'RaiseFeedbackReceived', 'RaiseFeedbackException', 'Run', 'Run', 'lNlAhaB0F5AAe8U1AuP', 'UDSKvVBIUFJWPbDrkRn', 'WwBeRYBrXwb95GLYIxS', 'jpxyibBMpknpkQvCWaU', 'SEgunHBGCNJpfAjj40o'
Source: file.exe, ApplePushChannel.cs High entropy of concatenated method names: '_003CHandleFailedNotification_003Eb__c', 'r9SIBBPnk51Q61b7yX7', 'T2MUSHBzPfSOpFPh7ZP', 'FuugJcPmTRIoLmy2dsb', '_003Cconnect_003Eb__11', 'GsxhG7PZ2Q6ytnfhQvK', 'MCWRQ6PodVY6243i96R', 'r8BOuvPBjrS4x4PLEnx', 'kpw3UDPPxeaOhtG3Lem', 'SendNotification'
Source: file.exe, hrwN54ssk66JhR0d65a.cs High entropy of concatenated method names: 'lLHifFIsCLsZtjvFfN0i', 'tsFkXCLB65', 'V2hk1qXaN6', 'BUES8OyM9iIbmNBwXyv', 'FLi5NcyG0c4dVWfmhxi', 'FKKXETyhhoaGaxCo6C7', 'K4abbDywNrOe63bpuG7', 'DLO4BPyD4pCrNhqGhGi', 'm6Fy8Eyp9m1M5miDfiV', 'wktEB7ybr4gY18uFFtV'
Source: file.exe, PushServiceBase.cs High entropy of concatenated method names: 'UcuFN9ZXapVwNi0XyN2', 'Q4S1UHZj32Yy4PloCoW', 'Dispose', 'cmGjS9Z5VdLa20KG3P1', 'LgYUScZ8PIbcBXksi5I', 'aLDIirZRTMNhdaV55Q2', '_003CDoChannelWork_003Eb__13', 'L01hUlo6eof9ltBISov', 'knxSasoq8b7onw8Cg27', 'ypsRqsoSpDqLnTwO049'
Source: file.exe, DeflaterEngine.cs High entropy of concatenated method names: 'Deflate', 'SetInput', 'NeedsInput', 'SetDictionary', 'Reset', 'ResetAdler', 'SetLevel', 'FillWindow', 'UpdateHash', 'InsertString'
Source: file.exe, InflaterHuffmanTree.cs High entropy of concatenated method names: 'BuildTree', 'GetSymbol', 'vsIugAYc8C57tXBcC1x', 'fbGafZYYybKJDkDuIt5', 'eghv13Y9reVpSFoibc3', 'DU9RcyYdH8CjLEd7e0X', 'ISAgfGYT4WIUj7Kgrvf', 'aEMNspYEvE7IRXu3PkD'
Source: file.exe, Deflater.cs High entropy of concatenated method names: 'Reset', 'Flush', 'Finish', 'SetInput', 'SetInput', 'SetLevel', 'GetLevel', 'SetStrategy', 'Deflate', 'Deflate'
Source: file.exe, DeflaterHuffman.cs High entropy of concatenated method names: 'Reset', 'WriteSymbol', 'CheckEmpty', 'SetStaticCodes', 'BuildCodes', 'BuildTree', 'GetEncodedLength', 'CalcBLFreq', 'WriteTree', 'BuildLength'
Source: file.exe, Inflater.cs High entropy of concatenated method names: 'Reset', 'DecodeHeader', 'DecodeDict', 'DecodeHuffman', 'DecodeChksum', 'Decode', 'SetDictionary', 'SetDictionary', 'SetInput', 'SetInput'
Source: file.exe, InflaterInputStream.cs High entropy of concatenated method names: 'Skip', 'StopDecrypting', 'Fill', 'Flush', 'Seek', 'SetLength', 'Write', 'WriteByte', 'BeginWrite', 'Close'
Source: file.exe, DeflaterOutputStream.cs High entropy of concatenated method names: 'Finish', 'EncryptBlock', 'InitializePassword', 'InitializeAESPassword', 'Deflate', 'Seek', 'SetLength', 'ReadByte', 'Read', 'BeginRead'
Source: file.exe, DiskArchiveStorage.cs High entropy of concatenated method names: 'GetTemporaryOutput', 'ConvertTemporaryToFinal', 'MakeTemporaryCopy', 'OpenForDirectUpdate', 'Dispose', 'GetTempFileName', 'vPonPBwdYOHuCL0eod8', 'DCNJQ2wYBpQKW1JPccX', 'BboogRw9y9Nv4otFniG', 'y5QEqTwTAFHMPuAhRAn'
Source: file.exe, ZipHelperStream.cs High entropy of concatenated method names: 'Flush', 'Seek', 'SetLength', 'Read', 'Write', 'Close', 'WriteLocalHeader', 'LocateBlockWithSignature', 'WriteZip64EndOfCentralDirectory', 'WriteEndOfCentralDirectory'
Source: file.exe, ZipConstants.cs High entropy of concatenated method names: 'ConvertToString', 'ConvertToString', 'ConvertToStringExt', 'ConvertToStringExt', 'ConvertToArray', 'ConvertToArray', 'SoyvmnrSQXHymUZddxx', 'eiFvcTrFKvXVfU605wy', 'ygAdB8rVhpWw2iqmG1n', 'BV0iwkr196mkjmW7Y9W'
Source: file.exe, ZipInputStream.cs High entropy of concatenated method names: 'GetNextEntry', 'ReadDataDescriptor', 'CompleteCloseEntry', 'CloseEntry', 'ReadByte', 'ReadingNotAvailable', 'ReadingNotSupported', 'InitialRead', 'Read', 'BodyRead'
Source: file.exe, ZipEntryFactory.cs High entropy of concatenated method names: 'MakeFileEntry', 'MakeFileEntry', 'MakeDirectoryEntry', 'MakeDirectoryEntry', 'V1ra9Xebjyava3OELnx', 'QFgmEOeDTPTClm6VfnH', 'PZo5cQeppPn0vqYBVZG', 'jO3pYdec10dwQjcvWUb', 'rwB4NgeYjdNPBdHJyQl', 'CT35wHe9G5XiDDONgky'
Source: file.exe, ZipFile.cs High entropy of concatenated method names: 'Compare', 'EcevwQhHFiPXX3WLp0g', 'OjuwKEh2D2LchZQHuQo', 'gCFfN1hWYVmnpN6TPDh', 'm8D8q6hg5ss3DCbBXuf', 'Il5K2vhs1AfYYU5eSiD', 'GetSource', 'vp1dpJhCQUrnq0UlQbL', 'HA8sCLh7MHCg840QF2W', 'h8InmNhKDH2BN3Da9MN'
Source: file.exe, ZipEntry.cs High entropy of concatenated method names: 'HasDosAttributes', 'ForceZip64', 'IsZip64Forced', 'ProcessExtraData', 'ProcessAESExtraData', 'IsCompressionMethodSupported', 'Clone', 'ToString', 'IsCompressionMethodSupported', 'CleanName'
Source: file.exe, FastZip.cs High entropy of concatenated method names: 'CreateZip', 'CreateZip', 'CreateZip', 'ExtractZip', 'ExtractZip', 'ExtractZip', 'ProcessDirectory', 'ProcessFile', 'AddFileContents', 'ExtractFileEntry'
Source: file.exe, WindowsNameTransform.cs High entropy of concatenated method names: 'TransformDirectory', 'TransformFile', 'IsValidName', 'MakeValidName', 'zOdTXFkHxhTGpfHCxu7', 'iXwPdWk28n1mrPoFt9w', 'ugcyPZkWXpApkFKi6vr', 'Fm2v9LkJ3nj3OQ9Qd59', 'piwwP2kCBgYGn7lrC3t', 'ED2xDSk7n28FcDwnULN'
Source: file.exe, ZipOutputStream.cs High entropy of concatenated method names: 'SetComment', 'SetLevel', 'GetLevel', 'WriteLeShort', 'WriteLeInt', 'WriteLeLong', 'PutNextEntry', 'CloseEntry', 'WriteEncryptionHeader', 'AddExtraDataAES'
Source: file.exe, ExtendedUnixData.cs High entropy of concatenated method names: 'SetData', 'GetData', 'IsValidValue', 'BaqxTNfcEx1g2XquB3y', 'wWZGIefY4JyRcbaLsJx', 'Qw74tuf9smGdwcheAMF', 't4PgjTfdJo47OyMZ5d5', 'vWHor9fTxy6mqC77dsa', 'tIpL5EfEbdtVX8veE5c', 'x47lbCffgM6A9AowPPE'
Source: file.exe, ZipNameTransform.cs High entropy of concatenated method names: 'TransformDirectory', 'TransformFile', 'MakeValidName', 'IsValidName', 'IsValidName', 'Q2XO37Tlj23gdM3gtr9', 'NQd2LgTvxD9VyyBSfb4', 'wi4WavTOoaPbpnocJ2C', 'DBuXOFTzSGTtxHdM1iv', 'vwkFoTEmI1lhQqDoHqC'
Source: file.exe, NTTaggedData.cs High entropy of concatenated method names: 'SetData', 'GetData', 'IsValidValue', 'tAf0y1fC3chHhmbRb41', 'aRvWjqf7AwlK8Dd9i8J', 'KWBVoVfKfB9OaQaIIe1', 'UdJkFLfu5YLWZ644KU8', 'o5Dh4Mf6Gtp4UdZU3ch', 'n98E2qfqt3LjA7N7F4i', 'agoCUafSsSS1vad2LfG'
Source: file.exe, JwhvgedeRfwm9Lu09s.cs High entropy of concatenated method names: 'w2hJonyyhqPlh', 'M1t21Hac1MiILf8Lnvg', 'jkb9gaaYXqp0FvqsB80', 'LWixwZapp3HsXwGSrhm', 'Lc9NjoabqXuEH4Rp9qC', 'VTjl18a9CaUbfiEe9VW', 'k2Ao5cadf1Jx43vSrtL'
Source: file.exe, mEqmoE9UxRmX9ogcto.cs High entropy of concatenated method names: 'Q5MkM5QYd3', 'POW6qfaHnBBDfxdjtaM', 'aAmFOja29vwRElvkp5C', 'ELgtGSaWsbGEZhYea09', 'HhHXWnaJpOTpmLhYioN', 'AqY3WfaCE0Cw5YFaBpT', 'Fbn4fIa76Z9XXsyRrTf', 'ovGWF0aKYZyMlXD5ZtZ', 'bn9KpBau0ggioIE79To', 'fHSkdAnkJf'
Source: file.exe, MyProject.cs High entropy of concatenated method names: 'Create__Instance__', 'Dispose__Instance__', 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Wl962VFDTKIUXWr02g', 'j9vB4MVJ5El7j4ViK1', 'svN1R119saW6aTRgVW', 'LZ4qmlLVN9VNBiX5EZ'
Source: file.exe, NJOADhoFiIhdt67r9V.cs High entropy of concatenated method names: 'iLNJonyzdjW6o', 'obWuTEaxskfg8vDKAme', 'oFGbO4a8MptLRRprsXy', 'TpUDhraR7S6A2jWW39E', 'CMg69pa5fRxci8U06VA', 'D6dDPAaXEk2phB7l986', 'mLg3ohajjxyMZs6a3hL'
Source: file.exe, TarHeader.cs High entropy of concatenated method names: 'GetName', 'Clone', 'ParseBuffer', 'WriteHeader', 'GetHashCode', 'Equals', 'SetValueDefaults', 'RestoreSetValues', 'ParseOctal', 'ParseName'
Source: file.exe, TarEntry.cs High entropy of concatenated method names: 'Clone', 'CreateTarEntry', 'CreateEntryFromFile', 'Equals', 'GetHashCode', 'IsDescendent', 'SetIds', 'SetNames', 'GetFileTarHeader', 'GetDirectoryEntries'
Source: file.exe, TarOutputStream.cs High entropy of concatenated method names: 'Seek', 'SetLength', 'ReadByte', 'Read', 'Flush', 'Finish', 'Close', 'GetRecordSize', 'PutNextEntry', 'CloseEntry'
Source: file.exe, TarArchive.cs High entropy of concatenated method names: 'OnProgressMessageEvent', 'CreateInputTarArchive', 'CreateInputTarArchive', 'CreateOutputTarArchive', 'CreateOutputTarArchive', 'SetKeepOldFiles', 'SetAsciiTranslation', 'SetUserInfo', 'CloseArchive', 'ListContents'
Source: file.exe, TarInputStream.cs High entropy of concatenated method names: 'CreateEntry', 'CreateEntryFromFile', 'CreateEntry', 'CreateEntry', 'CreateEntryFromFile', 'CreateEntry', 'b71kWNccJJlw1q2MkF2', 'C5ZclycYnKHBZRfDpZy', 'eRU5K8c93nX2A2Anuev', 'Flush'
Source: file.exe, FileSystemScanner.cs High entropy of concatenated method names: 'OnDirectoryFailure', 'OnFileFailure', 'OnProcessFile', 'OnCompleteFile', 'OnProcessDirectory', 'Scan', 'ScanDir', 'HoXnhFTgPH1DRNrtF1f', 'PNjo2vTsm3vwqfVBnmK', 'V5uC81THXkVKPQ9s9NB'
Source: file.exe, NameFilter.cs High entropy of concatenated method names: 'IsValidExpression', 'IsValidFilterExpression', 'SplitQuoted', 'ToString', 'IsIncluded', 'IsExcluded', 'IsMatch', 'Compile', 'H1iWXud0WeuK4es161l', 'yRtLuedIU4roFsUAfVW'
Source: file.exe, StreamUtils.cs High entropy of concatenated method names: 'ReadFully', 'ReadFully', 'Copy', 'Copy', 'Copy', 'Cks3xEe4hdeBSBpkJ3t', 'qWwdKoemfTwqp0014Pn', 'Grg2LRenuycuTnvH4Kk', 'q3QLZ1eBQ3t7Ei2yeHA', 'eNxkjPePMETaTsvwgaq'
Source: file.exe, ZipAESTransform.cs High entropy of concatenated method names: 'TransformBlock', 'GetAuthCode', 'TransformFinalBlock', 'Dispose', 'hvhHgyk0Q2Tvu6xV37x', 'OBZCLHkIS5kRvRBlDCT', 'PPhKgRkrZu3jJ2Y6FhM', 'Em623CkMD3YBZbBBUN4', 'sRwErhkGZmr6nExN3vK', 'jelERbkoT5fAw7WfXgs'
Source: file.exe, GZipInputStream.cs High entropy of concatenated method names: 'Read', 'ReadHeader', 'ReadFooter', 'MTNjkbwjDQjjwwiuWbX', 'NKB2XqwxfAs3sX6lCvR', 'oO10yYw8acypvRE0QTD', 'DvSBqFwRenNVNWm1hnI', 'JA1Vyuw5mIcyBQlTWRv', 'zlpVk6wlqlBifAnmgqR', 'gGR7aiwv2KMSqusH68X'
Source: file.exe, GZipOutputStream.cs High entropy of concatenated method names: 'SetLevel', 'GetLevel', 'Write', 'Close', 'Finish', 'WriteHeader', 'IGIxDdwSjG2F7yT5rjt', 'lXSG29wFESdHZZGFpgm', 'Q64lmDwVu6w9V9dfZ0Z', 'Ab3AVbw1Wn1Y8EtUVP9'
Source: 0.2.file.exe.3d67e10.1.raw.unpack, G8WxH38hhBnr1IE68vI.cs High entropy of concatenated method names: 'uYP5UMy1hu', 'nt15Ceoiwh', 'opo5rgGLQg', 'gA95bU2ExD', 'Rks5BkBZi5', 'ADm5J0cpqR', 'NaM52ZqZyD', 'THoZbd2fUw', 'Y8N5itYb3g', 'Wb65MvkIMT'
Source: 0.2.file.exe.3d67e10.1.raw.unpack, mLrwBjaNEgFvrhaGTgv.cs High entropy of concatenated method names: 'oQG8WrDol0', 'g38PJ8K3c0', 'jBH8UdC1PV', 'UlO8CDfJsQ', 'hcC8rW5pKa', 'mN58bMtfWM', 'ts3XxWXD9Z', 'OigaEK3D3W', 'jroa4iUVTS', 'B6saGICwMv'

Persistence and Installation Behavior
barindex
Installs new ROOT certificates
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: file.exe PID: 7256, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: MSBuild.exe, 00000001.00000002.1668686227.000000000330A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE@\^Q
Source: MSBuild.exe, 00000001.00000002.1668686227.000000000330A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE`,^Q
Source: MSBuild.exe, 00000001.00000002.1668686227.000000000330A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\file.exe Memory allocated: 1130000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 2B30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 2920000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 1760000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 3200000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 5200000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 7260 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7276 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7364 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: MSBuild.exe, 00000001.00000002.1668686227.000000000330A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe`,^q
Source: MSBuild.exe, 00000001.00000002.1668686227.000000000330A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe
Source: MSBuild.exe, 00000001.00000002.1668686227.000000000330A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe@\^q
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF5948B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6CF5948B
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF0B6C0 GetModuleHandleW,GetModuleHandleW,LoadLibraryW,GetProcAddress,__cftoe,GetModuleHandleW,GetProcAddress, 0_2_6CF0B6C0
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF5948B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6CF5948B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF5B144 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CF5B144
Source: C:\Users\user\Desktop\file.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\file.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 462000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 4BE000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1091008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe Jump to behavior
Source: MSBuild.exe, 00000001.00000002.1668686227.000000000340E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: GetProgmanWindow
Source: MSBuild.exe, 00000001.00000002.1668686227.000000000340E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SetProgmanWindow
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF584B0 cpuid 0_2_6CF584B0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF5A25A GetSystemTimeAsFileTime,__aulldiv, 0_2_6CF5A25A
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: file.exe, type: SAMPLE
Source: Yara match File source: 0.2.file.exe.3d67e10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3d67e10.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.3f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1649795317.0000000003D4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1649795317.0000000003CAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1665266688.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1640845575.00000000003F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: 0.2.file.exe.3d67e10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3d67e10.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1649795317.0000000003D4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1649795317.0000000003CAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1665266688.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Yara detected zgRAT
Source: Yara match File source: file.exe, type: SAMPLE
Source: Yara match File source: 0.2.file.exe.3d67e10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3d67e10.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.3f0000.0.unpack, type: UNPACKEDPE

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: file.exe, type: SAMPLE
Source: Yara match File source: 0.2.file.exe.3d67e10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3d67e10.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.3f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1649795317.0000000003D4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1649795317.0000000003CAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1665266688.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1640845575.00000000003F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: 0.2.file.exe.3d67e10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3d67e10.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1649795317.0000000003D4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1649795317.0000000003CAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1665266688.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Yara detected zgRAT
Source: Yara match File source: file.exe, type: SAMPLE
Source: Yara match File source: 0.2.file.exe.3d67e10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3d67e10.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.3f0000.0.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CF0A0C0 CorBindToRuntimeEx,GetModuleHandleW,GetModuleHandleW,__cftoe,GetModuleHandleW,GetProcAddress, 0_2_6CF0A0C0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431662 Sample: file.exe Startdate: 25/04/2024 Architecture: WINDOWS Score: 100 18 Malicious sample detected (through community Yara rule) 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected PureLog Stealer 2->22 24 8 other signatures 2->24 7 file.exe 2 2->7         started        process3 file4 16 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 7->16 dropped 26 Writes to foreign memory regions 7->26 28 Allocates memory in foreign processes 7->28 30 Injects a PE file into a foreign processes 7->30 11 MSBuild.exe 1 24 7->11         started        signatures5 process6 signatures7 32 Installs new ROOT certificates 11->32 34 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->34 14 conhost.exe 11->14         started        process8
No contacted IP infos

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
fp2e7a.wpc.phicdn.net 192.229.211.108 true