Loading ...

Play interactive tourEdit tour

Analysis Report SGQ-200875.exe

Overview

General Information

Sample Name:SGQ-200875.exe
MD5:9895f8fe3df4c3309b81cd5cf08c0e24
SHA1:1006644a248bc248d1c1db6909ae886afa7d3478
SHA256:315992fe86f3bc95dc19312739fe9e89ee80a85f94c02bbebb420919bfaec5d6

Most interesting Screenshot:

Detection

AgentTesla
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Installs a global keyboard hook
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality locales information (e.g. system language)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates or modifies windows services
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • SGQ-200875.exe (PID: 3180 cmdline: 'C:\Users\user\Desktop\SGQ-200875.exe' MD5: 9895F8FE3DF4C3309B81CD5CF08C0E24)
    • rundll32.exe (PID: 4588 cmdline: C:\Windows\system32\rundll32.exe SwatVelamen,Pretor MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • MSBuild.exe (PID: 4136 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe MD5: 88BBB7610152B48C2B3879473B17857E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.861079582.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.864004123.0000000003660000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      Process Memory Space: MSBuild.exe PID: 4136JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: SGQ-200875.exeVirustotal: Detection: 16%Perma Link
          Source: 3.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_00402765 FindFirstFileA,0_2_00402765
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_00406469 FindFirstFileA,FindClose,0_2_00406469
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_0040592E CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040592E

          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.42.23
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.5.88
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.42.23
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.5.88
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.42.23
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.5.88
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.42.23
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.5.88
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.42.23
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.5.88
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.183
          Source: unknownTCP traffic detected without corresponding DNS query: 72.247.178.11
          Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.187
          Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.187
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.42.23
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.5.88
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.42.23
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.5.88
          Source: unknownTCP traffic detected without corresponding DNS query: 205.185.216.10
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
          Source: unknownTCP traffic detected without corresponding DNS query: 205.185.216.10
          Source: unknownTCP traffic detected without corresponding DNS query: 23.59.69.7
          Source: unknownTCP traffic detected without corresponding DNS query: 23.59.69.7
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
          Source: unknownTCP traffic detected without corresponding DNS query: 205.185.216.10
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
          Source: unknownTCP traffic detected without corresponding DNS query: 95.100.127.49
          Source: unknownTCP traffic detected without corresponding DNS query: 95.100.127.49
          Source: unknownTCP traffic detected without corresponding DNS query: 95.100.127.49
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
          Source: unknownTCP traffic detected without corresponding DNS query: 40.90.23.247
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
          Source: unknownTCP traffic detected without corresponding DNS query: 40.90.23.247
          Source: nslDBDA.tmp.0.drString found in binary or memory: http://gimp-print.sourceforge.net/xsd/gp.xsd-1.0
          Source: nslDBDA.tmp.0.drString found in binary or memory: http://mozilla.org/MPL/2.0/.
          Source: SGQ-200875.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: SGQ-200875.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: nslDBDA.tmp.0.drString found in binary or memory: http://openoffice.org/2001/toolbar
          Source: nslDBDA.tmp.0.drString found in binary or memory: http://tempuri.org/Intro.xsd
          Source: nslDBDA.tmp.0.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: x-s3m.xml.0.dr, prs.sid.xml.0.dr, x-icns.xml.0.drString found in binary or memory: http://www.freedesktop.org/standards/shared-mime-info
          Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
          Source: unknownNetwork traffic detected: HTTP traffic on port 49669 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49668 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Installs a global keyboard hookShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeJump to behavior
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_004053CB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004053CB
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_0123318C NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,3_2_0123318C
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_012354E0 NtDelayExecution,3_2_012354E0
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_004033A9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033A9
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_004069430_2_00406943
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_0040711A0_2_0040711A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_100050DB2_2_100050DB
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_057615383_2_05761538
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_057641983_2_05764198
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_05764C483_2_05764C48
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_0576A3003_2_0576A300
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_057617C83_2_057617C8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_05760EE03_2_05760EE0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_05762E973_2_05762E97
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_057635FC3_2_057635FC
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_057641893_2_05764189
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_05763C5B3_2_05763C5B
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_05764C383_2_05764C38
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_0576042A3_2_0576042A
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_057600073_2_05760007
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_0576049E3_2_0576049E
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_0576649D3_2_0576649D
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_0576336B3_2_0576336B
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_05762E973_2_05762E97
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_057646F43_2_057646F4
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_057662E83_2_057662E8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_05760ED13_2_05760ED1
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_057D00B93_2_057D00B9
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_057DF3A83_2_057DF3A8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_057DF3983_2_057DF398
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_06858E023_2_06858E02
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_06857A203_2_06857A20
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_068572703_2_06857270
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_068598D63_2_068598D6
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_06856CD13_2_06856CD1
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_068554203_2_06855420
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_068580403_2_06858040
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_0685B8603_2_0685B860
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_06857A103_2_06857A10
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_068572603_2_06857260
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_068583DC3_2_068583DC
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_068583263_2_06858326
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_068593643_2_06859364
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_0685849E3_2_0685849E
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_068580313_2_06858031
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_0685958B3_2_0685958B
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_068549B03_2_068549B0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_068549C03_2_068549C0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_068581FD3_2_068581FD
          Source: SGQ-200875.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
          Source: nslDBDA.tmp.0.drBinary or memory string: <SampleName>Replsamp.vbp</SampleName>
          Source: classification engineClassification label: mal84.troj.spyw.evad.winEXE@5/31@0/0
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_004033A9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033A9
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_00404686 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404686
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_00402138 CoCreateInstance,MultiByteToWideChar,0_2_00402138
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Roaming\canJump to behavior
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Local\Temp\nslDBD9.tmpJump to behavior
          Source: SGQ-200875.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SGQ-200875.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe SwatVelamen,Pretor
          Source: SGQ-200875.exeVirustotal: Detection: 16%
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile read: C:\Users\user\Desktop\SGQ-200875.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\SGQ-200875.exe 'C:\Users\user\Desktop\SGQ-200875.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe SwatVelamen,Pretor
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
          Source: C:\Users\user\Desktop\SGQ-200875.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe SwatVelamen,PretorJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeJump to behavior
          Source: C:\Users\user\Desktop\SGQ-200875.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: SGQ-200875.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: sbscmp10.pdb source: sbscmp10.dll.0.dr
          Source: Binary string: f:\binaries.x86ret\bin\i386\sdk\v2.0\compactframework\windowsce\designer\genasm.pdb source: nslDBDA.tmp.0.dr
          Source: Binary string: f:\binaries.x86ret\bin\i386\sdk\v2.0\compactframework\windowsce\designer\genasm.pdb4 source: nslDBDA.tmp.0.dr
          Source: Binary string: ResGen.pdb source: nslDBDA.tmp.0.dr
          Source: Binary string: ResGen.pdbVSDesigner\Tools\ResGen\objr\i386\ResGen.pdbBSJB source: nslDBDA.tmp.0.dr
          Source: Binary string: VSDesigner\Tools\ResGen\objr\i386\ResGen.pdb source: nslDBDA.tmp.0.dr
          Source: Binary string: mscorrc.pdb source: MSBuild.exe, 00000003.00000002.865495081.0000000006730000.00000002.00000001.sdmp
          Source: Binary string: mc.pdb source: nslDBDA.tmp.0.dr

          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10007988 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,2_2_10007988
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10003CFD push ecx; ret 2_2_10003D10
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_068568DD push eax; ret 3_2_068568DE
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_06856C19 push es; ret 3_2_06856C3C

          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Local\Temp\ship\conmanui.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Roaming\rct\webservices\genasm.exeJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Local\Temp\dan\wsdl\paypal\msats10ui.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Local\Temp\ship\MicrosoftWindowsCEForms.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Local\Temp\ship\sbscmp10.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Roaming\can\resgen.exeJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Local\Temp\SwatVelamen.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Roaming\can\MicrosoftVisualStudioVSHelp.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Local\Temp\dan\wsdl\paypal\mc.exeJump to dropped file

          Source: C:\Users\user\Desktop\SGQ-200875.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxGuestJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4588 base: 775A4A40 value: E9 FB 74 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4588 base: 775A4AE0 value: E9 6B 74 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4588 base: 775A4B70 value: E9 AB 73 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4588 base: 775A4B80 value: E9 DB 73 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4588 base: 775A4B90 value: E9 5B 73 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4588 base: 775BF8E0 value: E9 9B FF FF FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4588 base: 77553850 value: E9 6B 78 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4588 base: 775550A0 value: E9 EB 6E 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4588 base: 77516560 value: E9 0B 00 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4588 base: 7751B4A0 value: E9 7B 46 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4588 base: 7753DF80 value: E9 0B 00 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4588 base: 7755FB90 value: E9 E1 52 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4588 base: 7755FD60 value: E9 26 5B 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4136 base: 775A4A40 value: E9 FB 74 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4136 base: 775A4AE0 value: E9 6B 74 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4136 base: 775A4B70 value: E9 AB 73 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4136 base: 775A4B80 value: E9 DB 73 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4136 base: 775A4B90 value: E9 5B 73 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4136 base: 775BF8E0 value: E9 9B FF FF FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4136 base: 77553850 value: E9 6B 78 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4136 base: 775550A0 value: E9 EB 6E 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4136 base: 77516560 value: E9 0B 00 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4136 base: 7751B4A0 value: E9 7B 46 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4136 base: 7753DF80 value: E9 0B 00 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4136 base: 7755FB90 value: E9 E1 52 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4136 base: 7755FD60 value: E9 26 5B 00 00 Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 4136 base: 775A4A40 value: E9 FB 74 FB FF Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 4136 base: 775A4AE0 value: E9 6B 74 FB FF Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 4136 base: 775A4B70 value: E9 AB 73 FB FF Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 4136 base: 775A4B80 value: E9 DB 73 FB FF Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 4136 base: 775A4B90 value: E9 5B 73 FB FF Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 4136 base: 775BF8E0 value: E9 9B FF FF FF Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 4136 base: 77553850 value: E9 6B 78 00 00 Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 4136 base: 775550A0 value: E9 EB 6E 00 00 Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 4136 base: 77516560 value: E9 0B 00 00 00 Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 4136 base: 7751B4A0 value: E9 7B 46 00 00 Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 4136 base: 7753DF80 value: E9 0B 00 00 00 Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 4136 base: 7755FB90 value: E9 E1 52 00 00 Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 4136 base: 7755FD60 value: E9 26 5B 00 00 Jump to behavior
          Source: C:\Users\user\Desktop\SGQ-200875.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: threadDelayed 418Jump to behavior
          Source: C:\Users\user\Desktop\SGQ-200875.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\rct\webservices\genasm.exeJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ship\conmanui.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dan\wsdl\paypal\msats10ui.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ship\MicrosoftWindowsCEForms.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ship\sbscmp10.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\can\resgen.exeJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\can\MicrosoftVisualStudioVSHelp.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dan\wsdl\paypal\mc.exeJump to dropped file
          Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_2-3791
          Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_2-4182
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 948Thread sleep count: 418 > 30Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 948Thread sleep time: -58940508s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3436Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3436Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3436Thread sleep time: -58218s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3436Thread sleep time: -54124s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3436Thread sleep time: -44812s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3436Thread sleep time: -43500s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3436Thread sleep time: -42812s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3436Thread sleep time: -41188s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3436Thread sleep time: -39624s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3436Thread sleep time: -33718s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3436Thread sleep time: -44000s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3436Thread sleep time: -42406s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 948Thread sleep time: -141006s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_00402765 FindFirstFileA,0_2_00402765
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_00406469 FindFirstFileA,FindClose,0_2_00406469
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_0040592E CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040592E
          Source: nslDBDA.tmp.0.drBinary or memory string: SYSTEM\CurrentControlSet\Services\VBoxGuestLoggingEnabled255
          Source: nslDBDA.tmp.0.drBinary or memory string: SYSTEM\CurrentControlSet\Services\VBoxGuest
          Source: MSBuild.exe, 00000003.00000002.865052602.00000000061F0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: MSBuild.exe, 00000003.00000002.865052602.00000000061F0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: MSBuild.exe, 00000003.00000002.865052602.00000000061F0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: MSBuild.exe, 00000003.00000002.865052602.00000000061F0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\SGQ-200875.exeAPI call chain: ExitProcess graph end nodegraph_0-3262
          Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_2-4184
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information queried: ProcessInformationJump to behavior

          Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_05766B98 LdrInitializeThunk,3_2_05766B98
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10005CE6 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_10005CE6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10007988 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,2_2_10007988
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_01230000 mov eax, dword ptr fs:[00000030h]3_2_01230000
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_01230CE4 mov edi, dword ptr fs:[00000030h]3_2_01230CE4
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_01234E70 mov eax, dword ptr fs:[00000030h]3_2_01234E70
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_01232C5D mov eax, dword ptr fs:[00000030h]3_2_01232C5D
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10005CE6 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_10005CE6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10007B45 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_10007B45
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_1000254B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_1000254B
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Maps a DLL or memory area into another processShow sources
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeJump to behavior
          Source: MSBuild.exe, 00000003.00000002.862229249.0000000001C10000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: MSBuild.exe, 00000003.00000002.862229249.0000000001C10000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: MSBuild.exe, 00000003.00000002.862229249.0000000001C10000.00000002.00000001.sdmpBinary or memory string: RProgram Managerm
          Source: MSBuild.exe, 00000003.00000002.862229249.0000000001C10000.00000002.00000001.sdmpBinary or memory string: Progmanlock

          Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,2_2_10008128
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10003EAC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,2_2_10003EAC
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_004033A9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033A9
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected AgentTeslaShow sources
          Source: Yara matchFile source: 00000003.00000002.861079582.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.864004123.0000000003660000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4136, type: MEMORY
          Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Tries to harvest and steal browser information (history, passwords, etc)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
          Tries to steal Mail credentials (via file access)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior

          Remote Access Functionality:

          barindex
          Yara detected AgentTeslaShow sources
          Source: Yara matchFile source: 00000003.00000002.861079582.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.864004123.0000000003660000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4136, type: MEMORY
          Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation211Hooking1Hooking1Software Packing1Credential Dumping1System Time Discovery1Application Deployment SoftwareData from Local System1Data Encrypted1Standard Cryptographic Protocol12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Replication Through Removable MediaRundll321Modify Existing Service1Access Token Manipulation1Disabling Security Tools1Hooking1Security Software Discovery131Remote ServicesEmail Collection1Exfiltration Over Other Network MediumStandard Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          External Remote ServicesExecution through API2New Service1Process Injection112Rundll321Input Capture11File and Directory Discovery2Windows Remote ManagementInput Capture11Automated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Drive-by CompromiseScheduled TaskSystem FirmwareNew Service1Obfuscated Files or Information1Credentials in FilesSystem Information Discovery126Logon ScriptsClipboard Data2Data EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
          Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasquerading1Account ManipulationVirtualization/Sandbox Evasion14Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion14Brute ForceProcess Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
          Spearphishing AttachmentScriptingPath InterceptionScheduled TaskAccess Token Manipulation1Two-Factor Authentication InterceptionApplication Window Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionProcess Injection112Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessDLL Side-Loading1Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.