Loading ...

Play interactive tourEdit tour

Analysis Report SGQ-200875.exe

Overview

General Information

Sample Name:SGQ-200875.exe
MD5:9895f8fe3df4c3309b81cd5cf08c0e24
SHA1:1006644a248bc248d1c1db6909ae886afa7d3478
SHA256:315992fe86f3bc95dc19312739fe9e89ee80a85f94c02bbebb420919bfaec5d6

Most interesting Screenshot:

Detection

AgentTesla
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Installs a global keyboard hook
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality locales information (e.g. system language)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates or modifies windows services
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • SGQ-200875.exe (PID: 2644 cmdline: 'C:\Users\user\Desktop\SGQ-200875.exe' MD5: 9895F8FE3DF4C3309B81CD5CF08C0E24)
    • rundll32.exe (PID: 5280 cmdline: C:\Windows\system32\rundll32.exe SwatVelamen,Pretor MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • MSBuild.exe (PID: 5252 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe MD5: 88BBB7610152B48C2B3879473B17857E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1204647266.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.1207414635.0000000002B50000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      Process Memory Space: MSBuild.exe PID: 5252JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: SGQ-200875.exeVirustotal: Detection: 16%Perma Link
          Source: 3.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_00402765 FindFirstFileA,0_2_00402765
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_00406469 FindFirstFileA,FindClose,0_2_00406469
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_0040592E CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040592E

          Source: unknownTCP traffic detected without corresponding DNS query: 8.253.95.249
          Source: unknownTCP traffic detected without corresponding DNS query: 2.20.142.209
          Source: unknownTCP traffic detected without corresponding DNS query: 13.224.98.48
          Source: unknownTCP traffic detected without corresponding DNS query: 13.224.98.48
          Source: unknownTCP traffic detected without corresponding DNS query: 13.224.98.48
          Source: unknownTCP traffic detected without corresponding DNS query: 13.224.98.48
          Source: unknownTCP traffic detected without corresponding DNS query: 13.224.98.48
          Source: unknownTCP traffic detected without corresponding DNS query: 13.224.98.48
          Source: unknownTCP traffic detected without corresponding DNS query: 13.224.98.48
          Source: unknownTCP traffic detected without corresponding DNS query: 13.224.98.48
          Source: unknownTCP traffic detected without corresponding DNS query: 13.224.98.48
          Source: unknownTCP traffic detected without corresponding DNS query: 13.224.98.48
          Source: unknownTCP traffic detected without corresponding DNS query: 205.185.216.10
          Source: unknownTCP traffic detected without corresponding DNS query: 205.185.216.10
          Source: unknownTCP traffic detected without corresponding DNS query: 51.105.249.228
          Source: unknownTCP traffic detected without corresponding DNS query: 51.105.249.228
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 205.185.216.10
          Source: unknownTCP traffic detected without corresponding DNS query: 205.185.216.10
          Source: unknownTCP traffic detected without corresponding DNS query: 23.59.69.7
          Source: unknownTCP traffic detected without corresponding DNS query: 23.59.69.7
          Source: unknownTCP traffic detected without corresponding DNS query: 205.185.216.10
          Source: unknownTCP traffic detected without corresponding DNS query: 205.185.216.10
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 40.90.23.247
          Source: unknownTCP traffic detected without corresponding DNS query: 40.90.23.247
          Source: unknownTCP traffic detected without corresponding DNS query: 104.83.183.196
          Source: unknownTCP traffic detected without corresponding DNS query: 104.83.192.98
          Source: unknownTCP traffic detected without corresponding DNS query: 104.83.192.98
          Source: unknownTCP traffic detected without corresponding DNS query: 104.83.192.98
          Source: unknownTCP traffic detected without corresponding DNS query: 104.83.183.196
          Source: unknownTCP traffic detected without corresponding DNS query: 51.105.249.228
          Source: unknownTCP traffic detected without corresponding DNS query: 51.105.249.228
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 51.105.249.228
          Source: unknownTCP traffic detected without corresponding DNS query: 51.105.249.228
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 2.20.142.210
          Source: unknownTCP traffic detected without corresponding DNS query: 2.20.142.210
          Source: unknownTCP traffic detected without corresponding DNS query: 2.20.142.210
          Source: unknownTCP traffic detected without corresponding DNS query: 2.20.142.210
          Source: nsv27CA.tmp.0.drString found in binary or memory: http://gimp-print.sourceforge.net/xsd/gp.xsd-1.0
          Source: nsv27CA.tmp.0.drString found in binary or memory: http://mozilla.org/MPL/2.0/.
          Source: SGQ-200875.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: SGQ-200875.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: nsv27CA.tmp.0.drString found in binary or memory: http://openoffice.org/2001/toolbar
          Source: nsv27CA.tmp.0.drString found in binary or memory: http://tempuri.org/Intro.xsd
          Source: nsv27CA.tmp.0.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: x-s3m.xml.0.dr, prs.sid.xml.0.dr, nsv27CA.tmp.0.drString found in binary or memory: http://www.freedesktop.org/standards/shared-mime-info
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
          Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
          Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
          Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Installs a global keyboard hookShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeJump to behavior
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_004053CB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004053CB
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_005554E0 NtDelayExecution,3_2_005554E0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_0055318C NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,3_2_0055318C
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_009FB362 NtQuerySystemInformation,3_2_009FB362
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_009FB331 NtQuerySystemInformation,3_2_009FB331
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_004033A9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033A9
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_004069430_2_00406943
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_0040711A0_2_0040711A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_100050DB2_2_100050DB
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_04CB4C483_2_04CB4C48
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_04CB0EE03_2_04CB0EE0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_04CB2E973_2_04CB2E97
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_04CB17B83_2_04CB17B8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_04CB049E3_2_04CB049E
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_04CB649D3_2_04CB649D
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_04CB3C5B3_2_04CB3C5B
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_04CB042A3_2_04CB042A
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_04CB4C383_2_04CB4C38
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_04CB003F3_2_04CB003F
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_04CB35FC3_2_04CB35FC
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_04CB41893_2_04CB4189
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_04CB0ED13_2_04CB0ED1
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_04CB62E83_2_04CB62E8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_04CB2E973_2_04CB2E97
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_04CB336B3_2_04CB336B
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_04DF00B93_2_04DF00B9
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_04DFF0783_2_04DFF078
          Source: SGQ-200875.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
          Source: nsv27CA.tmp.0.drBinary or memory string: <SampleName>Replsamp.vbp</SampleName>
          Source: classification engineClassification label: mal84.troj.spyw.evad.winEXE@5/31@0/0
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_004033A9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033A9
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_009FB1E6 AdjustTokenPrivileges,3_2_009FB1E6
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_009FB1AF AdjustTokenPrivileges,3_2_009FB1AF
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_00404686 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404686
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_00402138 CoCreateInstance,MultiByteToWideChar,0_2_00402138
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Roaming\canJump to behavior
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Local\Temp\nsv27C9.tmpJump to behavior
          Source: SGQ-200875.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SGQ-200875.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe SwatVelamen,Pretor
          Source: SGQ-200875.exeVirustotal: Detection: 16%
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile read: C:\Users\user\Desktop\SGQ-200875.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\SGQ-200875.exe 'C:\Users\user\Desktop\SGQ-200875.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe SwatVelamen,Pretor
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
          Source: C:\Users\user\Desktop\SGQ-200875.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe SwatVelamen,PretorJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeJump to behavior
          Source: C:\Users\user\Desktop\SGQ-200875.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: SGQ-200875.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: sbscmp10.pdb source: nsv27CA.tmp.0.dr
          Source: Binary string: f:\binaries.x86ret\bin\i386\sdk\v2.0\compactframework\windowsce\designer\genasm.pdb source: nsv27CA.tmp.0.dr
          Source: Binary string: f:\binaries.x86ret\bin\i386\sdk\v2.0\compactframework\windowsce\designer\genasm.pdb4 source: nsv27CA.tmp.0.dr
          Source: Binary string: ResGen.pdb source: nsv27CA.tmp.0.dr
          Source: Binary string: ResGen.pdbVSDesigner\Tools\ResGen\objr\i386\ResGen.pdbBSJB source: nsv27CA.tmp.0.dr
          Source: Binary string: VSDesigner\Tools\ResGen\objr\i386\ResGen.pdb source: nsv27CA.tmp.0.dr
          Source: Binary string: mscorrc.pdb source: MSBuild.exe, 00000003.00000002.1210205669.0000000005AA0000.00000002.00000001.sdmp
          Source: Binary string: mc.pdb source: nsv27CA.tmp.0.dr

          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10007988 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,2_2_10007988
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10003CFD push ecx; ret 2_2_10003D10
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_04CB4090 push ds; retf 3_2_04CB4092
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_04CB62E8 push 63BB04CBh; retf 3_2_04CB6922
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_04CB628F pushad ; retf 3_2_04CB6292
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_04CB62A3 pushad ; retf 3_2_04CB62A6
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_04CB62BB pushad ; retf 3_2_04CB62BE
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_04CB62B7 pushad ; retf 3_2_04CB62BA
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_04CB6277 pushad ; retf 3_2_04CB627A

          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Local\Temp\ship\conmanui.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Roaming\rct\webservices\genasm.exeJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Local\Temp\ship\sbscmp10.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Roaming\can\resgen.exeJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Roaming\can\MicrosoftVisualStudioVSHelp.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Local\Temp\dan\wsdl\paypal\mc.exeJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Local\Temp\SwatVelamen.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Local\Temp\dan\wsdl\paypal\msats10ui.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeFile created: C:\Users\user\AppData\Local\Temp\ship\MicrosoftWindowsCEForms.dllJump to dropped file

          Source: C:\Users\user\Desktop\SGQ-200875.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxGuestJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5280 base: 77544A40 value: E9 FB 74 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5280 base: 77544AE0 value: E9 6B 74 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5280 base: 77544B70 value: E9 AB 73 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5280 base: 77544B80 value: E9 DB 73 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5280 base: 77544B90 value: E9 5B 73 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5280 base: 7755F8E0 value: E9 9B FF FF FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5280 base: 774F3850 value: E9 6B 78 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5280 base: 774F50A0 value: E9 EB 6E 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5280 base: 774B6560 value: E9 0B 00 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5280 base: 774BB4A0 value: E9 7B 46 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5280 base: 774DDF80 value: E9 0B 00 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5280 base: 774FFB90 value: E9 E1 52 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5280 base: 774FFD60 value: E9 26 5B 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5252 base: 77544A40 value: E9 FB 74 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5252 base: 77544AE0 value: E9 6B 74 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5252 base: 77544B70 value: E9 AB 73 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5252 base: 77544B80 value: E9 DB 73 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5252 base: 77544B90 value: E9 5B 73 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5252 base: 7755F8E0 value: E9 9B FF FF FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5252 base: 774F3850 value: E9 6B 78 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5252 base: 774F50A0 value: E9 EB 6E 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5252 base: 774B6560 value: E9 0B 00 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5252 base: 774BB4A0 value: E9 7B 46 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5252 base: 774DDF80 value: E9 0B 00 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5252 base: 774FFB90 value: E9 E1 52 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5252 base: 774FFD60 value: E9 26 5B 00 00 Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 5252 base: 77544A40 value: E9 FB 74 FB FF Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 5252 base: 77544AE0 value: E9 6B 74 FB FF Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 5252 base: 77544B70 value: E9 AB 73 FB FF Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 5252 base: 77544B80 value: E9 DB 73 FB FF Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 5252 base: 77544B90 value: E9 5B 73 FB FF Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 5252 base: 7755F8E0 value: E9 9B FF FF FF Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 5252 base: 774F3850 value: E9 6B 78 00 00 Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 5252 base: 774F50A0 value: E9 EB 6E 00 00 Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 5252 base: 774B6560 value: E9 0B 00 00 00 Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 5252 base: 774BB4A0 value: E9 7B 46 00 00 Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 5252 base: 774DDF80 value: E9 0B 00 00 00 Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 5252 base: 774FFB90 value: E9 E1 52 00 00 Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory written: PID: 5252 base: 774FFD60 value: E9 26 5B 00 00 Jump to behavior
          Source: C:\Users\user\Desktop\SGQ-200875.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\SGQ-200875.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\rct\webservices\genasm.exeJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ship\conmanui.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ship\sbscmp10.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\can\resgen.exeJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\can\MicrosoftVisualStudioVSHelp.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dan\wsdl\paypal\mc.exeJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dan\wsdl\paypal\msats10ui.dllJump to dropped file
          Source: C:\Users\user\Desktop\SGQ-200875.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ship\MicrosoftWindowsCEForms.dllJump to dropped file
          Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_2-4022
          Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_2-4411
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -58688s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -58500s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -57812s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -57312s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -56688s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -56000s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -55594s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -55094s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -54188s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -53094s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -52812s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -52594s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -50188s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -49312s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -49094s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -48874s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -48188s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -47280s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -47094s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -46374s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -46188s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -45906s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -44594s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -42594s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -39406s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -38500s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -36094s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -35000s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -34500s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -33594s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -33188s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -32906s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -32688s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -32500s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -32000s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -31594s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -31094s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -30688s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -30406s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -30218s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -58874s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3964Thread sleep time: -56906s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 5368Thread sleep time: -3243138s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 5368Thread sleep time: -141006s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_00402765 FindFirstFileA,0_2_00402765
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_00406469 FindFirstFileA,FindClose,0_2_00406469
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_0040592E CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040592E
          Source: nsv27CA.tmp.0.drBinary or memory string: SYSTEM\CurrentControlSet\Services\VBoxGuestLoggingEnabled255
          Source: nsv27CA.tmp.0.drBinary or memory string: SYSTEM\CurrentControlSet\Services\VBoxGuest
          Source: MSBuild.exe, 00000003.00000002.1209331230.0000000005590000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: MSBuild.exe, 00000003.00000002.1209331230.0000000005590000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: MSBuild.exe, 00000003.00000002.1209331230.0000000005590000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: MSBuild.exe, 00000003.00000002.1209331230.0000000005590000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\SGQ-200875.exeAPI call chain: ExitProcess graph end nodegraph_0-3262
          Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_2-4413
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information queried: ProcessInformationJump to behavior

          Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_04CB6B98 LdrInitializeThunk,3_2_04CB6B98
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10005CE6 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_10005CE6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10007988 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,2_2_10007988
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_00550000 mov eax, dword ptr fs:[00000030h]3_2_00550000
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_00552C5D mov eax, dword ptr fs:[00000030h]3_2_00552C5D
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_00554E70 mov eax, dword ptr fs:[00000030h]3_2_00554E70
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 3_2_00550CE4 mov edi, dword ptr fs:[00000030h]3_2_00550CE4
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10005CE6 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_10005CE6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10007B45 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_10007B45
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_1000254B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_1000254B
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Maps a DLL or memory area into another processShow sources
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeJump to behavior
          Source: MSBuild.exe, 00000003.00000002.1206058881.0000000001200000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: MSBuild.exe, 00000003.00000002.1206058881.0000000001200000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: MSBuild.exe, 00000003.00000002.1206058881.0000000001200000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: MSBuild.exe, 00000003.00000002.1206058881.0000000001200000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: MSBuild.exe, 00000003.00000002.1207414635.0000000002B50000.00000004.00000001.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(06/22/2020 20:55:44)</font></font><br><font color="#00ba66">{Win}</font>X
          Source: MSBuild.exe, 00000003.00000002.1207414635.0000000002B50000.00000004.00000001.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(06/22/2020 20:55:44)</font></font><br>

          Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,2_2_10008128
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10003EAC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,2_2_10003EAC
          Source: C:\Users\user\Desktop\SGQ-200875.exeCode function: 0_2_004033A9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033A9
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected AgentTeslaShow sources
          Source: Yara matchFile source: 00000003.00000002.1204647266.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.1207414635.0000000002B50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5252, type: MEMORY
          Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Tries to harvest and steal browser information (history, passwords, etc)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
          Tries to steal Mail credentials (via file access)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior

          Remote Access Functionality:

          barindex
          Yara detected AgentTeslaShow sources
          Source: Yara matchFile source: 00000003.00000002.1204647266.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.1207414635.0000000002B50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5252, type: MEMORY
          Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation211Hooking1Hooking1Software Packing1Credential Dumping1System Time Discovery1Application Deployment SoftwareData from Local System1Data Encrypted1Standard Cryptographic Protocol12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Replication Through Removable MediaRundll321Modify Existing Service1Access Token Manipulation1Disabling Security Tools1Hooking1Security Software Discovery131Remote ServicesEmail Collection1Exfiltration Over Other Network MediumStandard Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          External Remote ServicesExecution through API2New Service1Process Injection112Rundll321Input Capture11File and Directory Discovery2Windows Remote ManagementInput Capture11Automated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Drive-by CompromiseScheduled TaskSystem FirmwareNew Service1Obfuscated Files or Information1Credentials in FilesSystem Information Discovery127Logon ScriptsClipboard Data2Data EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
          Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasquerading1Account ManipulationVirtualization/Sandbox Evasion14Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion14Brute ForceProcess Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
          Spearphishing AttachmentScriptingPath InterceptionScheduled TaskAccess Token Manipulation1Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionProcess Injection112Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessDLL Side-Loading1Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.