Loading ...

Play interactive tourEdit tour

Analysis Report SGQ-200875.exe

Overview

General Information

Sample Name:SGQ-200875.exe
MD5:9895f8fe3df4c3309b81cd5cf08c0e24
SHA1:1006644a248bc248d1c1db6909ae886afa7d3478
SHA256:315992fe86f3bc95dc19312739fe9e89ee80a85f94c02bbebb420919bfaec5d6

Most interesting Screenshot:

Detection

AgentTesla
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Installs a global keyboard hook
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality locales information (e.g. system language)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates or modifies windows services
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • SGQ-200875.exe (PID: 3180 cmdline: 'C:\Users\user\Desktop\SGQ-200875.exe' MD5: 9895F8FE3DF4C3309B81CD5CF08C0E24)
    • rundll32.exe (PID: 4588 cmdline: C:\Windows\system32\rundll32.exe SwatVelamen,Pretor MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • MSBuild.exe (PID: 4136 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe MD5: 88BBB7610152B48C2B3879473B17857E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.861079582.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.864004123.0000000003660000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      Process Memory Space: MSBuild.exe PID: 4136JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: SGQ-200875.exeVirustotal: Detection: 16%Perma Link
          Source: 3.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_00402765 FindFirstFileA,
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_00406469 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_0040592E CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,

          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.42.23
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.5.88
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.42.23
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.5.88
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.42.23
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.5.88
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.42.23
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.5.88
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.42.23
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.5.88
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.183
          Source: unknownTCP traffic detected without corresponding DNS query: 72.247.178.11
          Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.187
          Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.187
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.42.23
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.5.88
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.42.23
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.5.88
          Source: unknownTCP traffic detected without corresponding DNS query: 205.185.216.10
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
          Source: unknownTCP traffic detected without corresponding DNS query: 205.185.216.10
          Source: unknownTCP traffic detected without corresponding DNS query: 23.59.69.7
          Source: unknownTCP traffic detected without corresponding DNS query: 23.59.69.7
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
          Source: unknownTCP traffic detected without corresponding DNS query: 205.185.216.10
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
          Source: unknownTCP traffic detected without corresponding DNS query: 95.100.127.49
          Source: unknownTCP traffic detected without corresponding DNS query: 95.100.127.49
          Source: unknownTCP traffic detected without corresponding DNS query: 95.100.127.49
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
          Source: unknownTCP traffic detected without corresponding DNS query: 40.90.23.247
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
          Source: unknownTCP traffic detected without corresponding DNS query: 40.90.23.247
          Source: nslDBDA.tmp.0.drString found in binary or memory: http://gimp-print.sourceforge.net/xsd/gp.xsd-1.0
          Source: nslDBDA.tmp.0.drString found in binary or memory: http://mozilla.org/MPL/2.0/.
          Source: SGQ-200875.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: SGQ-200875.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: nslDBDA.tmp.0.drString found in binary or memory: http://openoffice.org/2001/toolbar
          Source: nslDBDA.tmp.0.drString found in binary or memory: http://tempuri.org/Intro.xsd
          Source: nslDBDA.tmp.0.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: x-s3m.xml.0.dr, prs.sid.xml.0.dr, x-icns.xml.0.drString found in binary or memory: http://www.freedesktop.org/standards/shared-mime-info
          Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
          Source: unknownNetwork traffic detected: HTTP traffic on port 49669 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49668 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Installs a global keyboard hookShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_004053CB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASS

          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_0123318C NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_012354E0 NtDelayExecution,
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_004033A9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_00406943
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_0040711A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_100050DB
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_05761538
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_05764198
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_05764C48
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_0576A300
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_057617C8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_05760EE0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_05762E97
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_057635FC
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_05764189
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_05763C5B
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_05764C38
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_0576042A
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_05760007
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_0576049E
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_0576649D
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_0576336B
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_05762E97
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_057646F4
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_057662E8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_05760ED1
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_057D00B9
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_057DF3A8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_057DF398
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_06858E02
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_06857A20
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_06857270
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_068598D6
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_06856CD1
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_06855420
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_06858040
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_0685B860
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_06857A10
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_06857260
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_068583DC
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_06858326
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_06859364
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_0685849E
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_06858031
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_0685958B
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_068549B0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_068549C0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_068581FD
          Source: SGQ-200875.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dll
          Source: nslDBDA.tmp.0.drBinary or memory string: <SampleName>Replsamp.vbp</SampleName>
          Source: classification engineClassification label: mal84.troj.spyw.evad.winEXE@5/31@0/0
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_004033A9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_00404686 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_00402138 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Roaming\canJump to behavior
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Local\Temp\nslDBD9.tmpJump to behavior
          Source: SGQ-200875.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SGQ-200875.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe SwatVelamen,Pretor
          Source: SGQ-200875.exeVirustotal: Detection: 16%
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile read: C:\Users\user\Desktop\SGQ-200875.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\SGQ-200875.exe 'C:\Users\user\Desktop\SGQ-200875.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe SwatVelamen,Pretor
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
          Source: C:\Users\user\Desktop\SGQ-200875.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe SwatVelamen,Pretor
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
          Source: C:\Users\user\Desktop\SGQ-200875.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
          Source: SGQ-200875.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: sbscmp10.pdb source: sbscmp10.dll.0.dr
          Source: Binary string: f:\binaries.x86ret\bin\i386\sdk\v2.0\compactframework\windowsce\designer\genasm.pdb source: nslDBDA.tmp.0.dr
          Source: Binary string: f:\binaries.x86ret\bin\i386\sdk\v2.0\compactframework\windowsce\designer\genasm.pdb4 source: nslDBDA.tmp.0.dr
          Source: Binary string: ResGen.pdb source: nslDBDA.tmp.0.dr
          Source: Binary string: ResGen.pdbVSDesigner\Tools\ResGen\objr\i386\ResGen.pdbBSJB source: nslDBDA.tmp.0.dr
          Source: Binary string: VSDesigner\Tools\ResGen\objr\i386\ResGen.pdb source: nslDBDA.tmp.0.dr
          Source: Binary string: mscorrc.pdb source: MSBuild.exe, 00000003.00000002.865495081.0000000006730000.00000002.00000001.sdmp
          Source: Binary string: mc.pdb source: nslDBDA.tmp.0.dr

          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10007988 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10003CFD push ecx; ret
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_068568DD push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_06856C19 push es; ret

          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Local\Temp\ship\conmanui.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Roaming\rct\webservices\genasm.exeJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Local\Temp\dan\wsdl\paypal\msats10ui.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Local\Temp\ship\MicrosoftWindowsCEForms.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Local\Temp\ship\sbscmp10.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Roaming\can\resgen.exeJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Local\Temp\SwatVelamen.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Roaming\can\MicrosoftVisualStudioVSHelp.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Local\Temp\dan\wsdl\paypal\mc.exeJump to dropped file

          Source: C:\Users\user\Desktop\SGQ-200875.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxGuestJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4588 base: 775A4A40 value: E9 FB 74 FB FF
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4588 base: 775A4AE0 value: E9 6B 74 FB FF
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4588 base: 775A4B70 value: E9 AB 73 FB FF
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4588 base: 775A4B80 value: E9 DB 73 FB FF
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4588 base: 775A4B90 value: E9 5B 73 FB FF
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4588 base: 775BF8E0 value: E9 9B FF FF FF
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4588 base: 77553850 value: E9 6B 78 00 00
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4588 base: 775550A0 value: E9 EB 6E 00 00
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4588 base: 77516560 value: E9 0B 00 00 00
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4588 base: 7751B4A0 value: E9 7B 46 00 00
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4588 base: 7753DF80 value: E9 0B 00 00 00
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4588 base: 7755FB90 value: E9 E1 52 00 00
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4588 base: 7755FD60 value: E9 26 5B 00 00
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4136 base: 775A4A40 value: E9 FB 74 FB FF
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4136 base: 775A4AE0 value: E9 6B 74 FB FF
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4136 base: 775A4B70 value: E9 AB 73 FB FF
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4136 base: 775A4B80 value: E9 DB 73 FB FF
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4136 base: 775A4B90 value: E9 5B 73 FB FF
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4136 base: 775BF8E0 value: E9 9B FF FF FF
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4136 base: 77553850 value: E9 6B 78 00 00
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4136 base: 775550A0 value: E9 EB 6E 00 00
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4136 base: 77516560 value: E9 0B 00 00 00
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4136 base: 7751B4A0 value: E9 7B 46 00 00
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4136 base: 7753DF80 value: E9 0B 00 00 00
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4136 base: 7755FB90 value: E9 E1 52 00 00
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4136 base: 7755FD60 value: E9 26 5B 00 00
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 4136 base: 775A4A40 value: E9 FB 74 FB FF
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 4136 base: 775A4AE0 value: E9 6B 74 FB FF
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 4136 base: 775A4B70 value: E9 AB 73 FB FF
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 4136 base: 775A4B80 value: E9 DB 73 FB FF
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 4136 base: 775A4B90 value: E9 5B 73 FB FF
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 4136 base: 775BF8E0 value: E9 9B FF FF FF
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 4136 base: 77553850 value: E9 6B 78 00 00
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 4136 base: 775550A0 value: E9 EB 6E 00 00
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 4136 base: 77516560 value: E9 0B 00 00 00
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 4136 base: 7751B4A0 value: E9 7B 46 00 00
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 4136 base: 7753DF80 value: E9 0B 00 00 00
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 4136 base: 7755FB90 value: E9 E1 52 00 00
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 4136 base: 7755FD60 value: E9 26 5B 00 00
          Source: C:\Users\user\Desktop\SGQ-200875.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: threadDelayed 418
          Source: C:\Users\user\Desktop\SGQ-200875.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\rct\webservices\genasm.exeJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ship\conmanui.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dan\wsdl\paypal\msats10ui.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ship\MicrosoftWindowsCEForms.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ship\sbscmp10.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\can\resgen.exeJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\can\MicrosoftVisualStudioVSHelp.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dan\wsdl\paypal\mc.exeJump to dropped file
          Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
          Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 948Thread sleep count: 418 > 30
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 948Thread sleep time: -58940508s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3436Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3436Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3436Thread sleep time: -58218s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3436Thread sleep time: -54124s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3436Thread sleep time: -44812s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3436Thread sleep time: -43500s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3436Thread sleep time: -42812s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3436Thread sleep time: -41188s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3436Thread sleep time: -39624s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3436Thread sleep time: -33718s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3436Thread sleep time: -44000s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3436Thread sleep time: -42406s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 948Thread sleep time: -141006s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_00402765 FindFirstFileA,
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_00406469 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_0040592E CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: nslDBDA.tmp.0.drBinary or memory string: SYSTEM\CurrentControlSet\Services\VBoxGuestLoggingEnabled255
          Source: nslDBDA.tmp.0.drBinary or memory string: SYSTEM\CurrentControlSet\Services\VBoxGuest
          Source: MSBuild.exe, 00000003.00000002.865052602.00000000061F0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: MSBuild.exe, 00000003.00000002.865052602.00000000061F0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: MSBuild.exe, 00000003.00000002.865052602.00000000061F0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: MSBuild.exe, 00000003.00000002.865052602.00000000061F0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\SGQ-200875.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information queried: ProcessInformation

          Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandle
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_05766B98 LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10005CE6 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10007988 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_01230000 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_01230CE4 mov edi, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_01234E70 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_01232C5D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10005CE6 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10007B45 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_1000254B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Maps a DLL or memory area into another processShow sources
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
          Source: MSBuild.exe, 00000003.00000002.862229249.0000000001C10000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: MSBuild.exe, 00000003.00000002.862229249.0000000001C10000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: MSBuild.exe, 00000003.00000002.862229249.0000000001C10000.00000002.00000001.sdmpBinary or memory string: RProgram Managerm
          Source: MSBuild.exe, 00000003.00000002.862229249.0000000001C10000.00000002.00000001.sdmpBinary or memory string: Progmanlock

          Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10003EAC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_004033A9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected AgentTeslaShow sources
          Source: Yara matchFile source: 00000003.00000002.861079582.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.864004123.0000000003660000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4136, type: MEMORY
          Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Tries to harvest and steal browser information (history, passwords, etc)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
          Tries to steal Mail credentials (via file access)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini

          Remote Access Functionality:

          barindex
          Yara detected AgentTeslaShow sources
          Source: Yara matchFile source: 00000003.00000002.861079582.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.864004123.0000000003660000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4136, type: MEMORY
          Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation211Hooking1Hooking1Software Packing1Credential Dumping1System Time Discovery1Application Deployment SoftwareData from Local System1Data Encrypted1Standard Cryptographic Protocol12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Replication Through Removable MediaRundll321Modify Existing Service1Access Token Manipulation1Disabling Security Tools1Hooking1Security Software Discovery131Remote ServicesEmail Collection1Exfiltration Over Other Network MediumStandard Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          External Remote ServicesExecution through API2New Service1Process Injection112Rundll321Input Capture11File and Directory Discovery2Windows Remote ManagementInput Capture11Automated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Drive-by CompromiseScheduled TaskSystem FirmwareNew Service1Obfuscated Files or Information1Credentials in FilesSystem Information Discovery126Logon ScriptsClipboard Data2Data EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
          Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasquerading1Account ManipulationVirtualization/Sandbox Evasion14Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion14Brute ForceProcess Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
          Spearphishing AttachmentScriptingPath InterceptionScheduled TaskAccess Token Manipulation1Two-Factor Authentication InterceptionApplication Window Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionProcess Injection112Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessDLL Side-Loading1Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.