Loading ...

Play interactive tourEdit tour

Analysis Report Drawings.exe

Overview

General Information

Sample Name:Drawings.exe
Analysis ID:250862
MD5:96b39508ca6c74a94638bf4bbb825e8e
SHA1:f7c3e5621cbcae809610624593465fb1d2addddb
SHA256:1ab199282785da53b5d473ab89af264ae67dda695946890c76a8266a7d80352c

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected MailPassView
Changes the view of files in windows explorer (hidden files and folders)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Drawings.exe (PID: 5548 cmdline: 'C:\Users\user\Desktop\Drawings.exe' MD5: 96B39508CA6C74A94638BF4BBB825E8E)
    • schtasks.exe (PID: 5648 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jbNuzmANa' /XML 'C:\Users\user\AppData\Local\Temp\tmpC81E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MSBuild.exe (PID: 5696 cmdline: {path} MD5: 88BBB7610152B48C2B3879473B17857E)
      • dw20.exe (PID: 5844 cmdline: dw20.exe -x -s 2220 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
      • vbc.exe (PID: 5948 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 5960 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Drawings.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0xc0198:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\jbNuzmANa.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0xc0198:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.490688463.00000000007AB000.00000004.00000020.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x4db38:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000000.00000000.477716716.0000000000042000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0xbff98:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000000.00000002.489601821.0000000000042000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0xbff98:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000004.00000002.529825428.000000000305C000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
  • 0x2674:$hawkstr1: HawkEye Keylogger
  • 0x20ec:$hawkstr2: Dear HawkEye Customers!
  • 0x221e:$hawkstr3: HawkEye Logger Details:
00000004.00000002.530039479.0000000003BE1000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    Click to see the 19 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.2.Drawings.exe.40000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0xc0198:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    0.0.Drawings.exe.40000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0xc0198:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    4.2.MSBuild.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x7b8ce:$key: HawkEyeKeylogger
    • 0x7db12:$salt: 099u787978786
    • 0x7bf0f:$string1: HawkEye_Keylogger
    • 0x7cd62:$string1: HawkEye_Keylogger
    • 0x7da72:$string1: HawkEye_Keylogger
    • 0x7c2f8:$string2: holdermail.txt
    • 0x7c318:$string2: holdermail.txt
    • 0x7c23a:$string3: wallet.dat
    • 0x7c252:$string3: wallet.dat
    • 0x7c268:$string3: wallet.dat
    • 0x7d636:$string4: Keylog Records
    • 0x7d94e:$string4: Keylog Records
    • 0x7db6a:$string5: do not script -->
    • 0x7b8b6:$string6: \pidloc.txt
    • 0x7b944:$string7: BSPLIT
    • 0x7b954:$string7: BSPLIT
    4.2.MSBuild.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      4.2.MSBuild.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        Click to see the 1 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jbNuzmANa' /XML 'C:\Users\user\AppData\Local\Temp\tmpC81E.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jbNuzmANa' /XML 'C:\Users\user\AppData\Local\Temp\tmpC81E.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Drawings.exe' , ParentImage: C:\Users\user\Desktop\Drawings.exe, ParentProcessId: 5548, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jbNuzmANa' /XML 'C:\Users\user\AppData\Local\Temp\tmpC81E.tmp', ProcessId: 5648
        Sigma detected: Suspicious Process CreationShow sources
        Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: {path}, ParentImage: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ParentProcessId: 5696, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', ProcessId: 5948

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\jbNuzmANa.exeVirustotal: Detection: 27%Perma Link
        Source: C:\Users\user\AppData\Roaming\jbNuzmANa.exeReversingLabs: Detection: 27%
        Multi AV Scanner detection for submitted fileShow sources
        Source: Drawings.exeVirustotal: Detection: 27%Perma Link
        Source: Drawings.exeReversingLabs: Detection: 27%
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\jbNuzmANa.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: Drawings.exeJoe Sandbox ML: detected
        Source: 4.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
        Source: 4.2.MSBuild.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
        Source: Drawings.exe, 00000000.00000002.496952645.0000000003B81000.00000004.00000001.sdmpBinary or memory string: autorun.inf
        Source: Drawings.exe, 00000000.00000002.496952645.0000000003B81000.00000004.00000001.sdmpBinary or memory string: [autorun]
        Source: MSBuild.exe, 00000004.00000002.523882304.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
        Source: MSBuild.exe, 00000004.00000002.523882304.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_04DD5CCE
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_04DD14C0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_04DD17F8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4x nop then call 04DD1B20h4_2_04DD91BC
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_04DD91BC
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_04DD98B1
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4x nop then jmp 04DD1A73h4_2_04DD19B0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4x nop then call 04DD1B20h4_2_04DD92A6
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_04DD92A6
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4x nop then jmp 04DD1A73h4_2_04DD19A0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_04DD9F54
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_04DD5B70
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4x nop then call 04DD1B20h4_2_04DD8A68
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_04DD8A68
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_04DD956B
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_04DD6711
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4x nop then mov esp, ebp4_2_04DD483E
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_04DDA03E
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_04DD6038
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_04DD0728

        Networking:

        barindex
        May check the online IP address of the machineShow sources
        Source: unknownDNS query: name: whatismyipaddress.com
        Source: unknownDNS query: name: whatismyipaddress.com
        Source: unknownDNS query: name: whatismyipaddress.com
        Source: unknownDNS query: name: whatismyipaddress.com
        Source: unknownDNS query: name: whatismyipaddress.com
        Source: unknownDNS query: name: whatismyipaddress.com
        Source: unknownDNS query: name: whatismyipaddress.com
        Source: unknownDNS query: name: whatismyipaddress.com
        Source: unknownDNS query: name: whatismyipaddress.com
        Source: unknownDNS query: name: whatismyipaddress.com
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
        Source: Joe Sandbox ViewIP Address: 104.16.154.36 104.16.154.36
        Source: Joe Sandbox ViewIP Address: 104.16.154.36 104.16.154.36
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
        Source: Drawings.exe, 00000000.00000002.496952645.0000000003B81000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.530039479.0000000003BE1000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
        Source: Drawings.exe, 00000000.00000002.496952645.0000000003B81000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.530039479.0000000003BE1000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
        Source: unknownDNS traffic detected: queries for: 200.82.6.0.in-addr.arpa
        Source: Drawings.exe, 00000000.00000002.496952645.0000000003B81000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.530039479.0000000003BE1000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
        Source: MSBuild.exe, 00000004.00000002.533145025.00000000054B6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: Drawings.exe, 00000000.00000002.496952645.0000000003B81000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.530039479.0000000003BE1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
        Source: MSBuild.exe, 00000004.00000002.527406174.0000000002C5D000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
        Source: MSBuild.exe, 00000004.00000002.527406174.0000000002C5D000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/
        Source: Drawings.exe, 00000000.00000002.496952645.0000000003B81000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.523882304.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
        Source: MSBuild.exe, 00000004.00000002.529729354.000000000302E000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.comx&mp
        Source: MSBuild.exe, 00000004.00000002.533145025.00000000054B6000.00000002.00000001.sdmp, MSBuild.exe, 00000004.00000003.497515654.0000000005360000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: MSBuild.exe, 00000004.00000002.533145025.00000000054B6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: MSBuild.exe, 00000004.00000002.533145025.00000000054B6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: MSBuild.exe, 00000004.00000003.496244263.0000000005358000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: MSBuild.exe, 00000004.00000002.533145025.00000000054B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: MSBuild.exe, 00000004.00000002.533145025.00000000054B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: MSBuild.exe, 00000004.00000003.496244263.0000000005358000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnnY
        Source: MSBuild.exe, 00000004.00000002.533145025.00000000054B6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: MSBuild.exe, 00000004.00000002.533145025.00000000054B6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: MSBuild.exe, 00000004.00000002.530039479.0000000003BE1000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
        Source: MSBuild.exe, 00000004.00000003.492866485.000000000536B000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.533145025.00000000054B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: MSBuild.exe, 00000004.00000003.492866485.000000000536B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comI
        Source: MSBuild.exe, 00000004.00000003.492763341.0000000005373000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comatn
        Source: MSBuild.exe, 00000004.00000003.492763341.0000000005373000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comiv
        Source: MSBuild.exe, 00000004.00000003.492763341.0000000005373000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comywa
        Source: MSBuild.exe, 00000004.00000002.533145025.00000000054B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: MSBuild.exe, 00000004.00000002.533145025.00000000054B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: MSBuild.exe, 00000004.00000002.527406174.0000000002C5D000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
        Source: MSBuild.exe, 00000004.00000002.533145025.00000000054B6000.00000002.00000001.sdmp, MSBuild.exe, 00000004.00000003.496979606.000000000536B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: MSBuild.exe, 00000004.00000003.496979606.000000000536B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comC7
        Source: MSBuild.exe, 00000004.00000002.533145025.00000000054B6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: MSBuild.exe, 00000004.00000002.533145025.00000000054B6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: MSBuild.exe, 00000004.00000002.529751871.0000000003038000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com
        Source: MSBuild.exe, 00000004.00000002.529729354.000000000302E000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com/
        Source: MSBuild.exe, 00000004.00000002.529729354.000000000302E000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.comx&mp
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
        Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443

        Key, Mouse, Clipboard, Microphone and Screen Capturing:

        barindex
        Installs a global keyboard hookShow sources
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeJump to behavior
        Source: Drawings.exe, 00000000.00000002.490609578.0000000000770000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000004.00000002.529825428.000000000305C000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
        Source: 00000000.00000002.496952645.0000000003B81000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.496952645.0000000003B81000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
        Source: 00000004.00000002.523882304.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.523882304.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
        Source: 00000000.00000002.495400013.00000000037E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.495400013.00000000037E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
        Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
        Source: C:\Users\user\Desktop\Drawings.exeCode function: 0_2_050B1276 NtQuerySystemInformation,0_2_050B1276
        Source: C:\Users\user\Desktop\Drawings.exeCode function: 0_2_050B1245 NtQuerySystemInformation,0_2_050B1245
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_04E05C42 NtQuerySystemInformation,4_2_04E05C42
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_04E05BFE NtQuerySystemInformation,4_2_04E05BFE
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmpJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeCode function: 0_2_023125180_2_02312518
        Source: C:\Users\user\Desktop\Drawings.exeCode function: 0_2_023109B80_2_023109B8
        Source: C:\Users\user\Desktop\Drawings.exeCode function: 0_2_023112800_2_02311280
        Source: C:\Users\user\Desktop\Drawings.exeCode function: 0_2_023113220_2_02311322
        Source: C:\Users\user\Desktop\Drawings.exeCode function: 0_2_023118960_2_02311896
        Source: C:\Users\user\Desktop\Drawings.exeCode function: 0_2_023125C00_2_023125C0
        Source: C:\Users\user\Desktop\Drawings.exeCode function: 0_2_000420500_2_00042050
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_04DD57584_2_04DD5758
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_04DD60484_2_04DD6048
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_04DD87104_2_04DD8710
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_04DD1D984_2_04DD1D98
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_04DD70984_2_04DD7098
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_04DD70884_2_04DD7088
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_04DD8A684_2_04DD8A68
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2220
        Source: Drawings.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: jbNuzmANa.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Drawings.exe, 00000000.00000002.492647569.00000000027E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparta.dll. vs Drawings.exe
        Source: Drawings.exe, 00000000.00000002.497266654.00000000048E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Drawings.exe
        Source: Drawings.exe, 00000000.00000002.489840472.0000000000104000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamewwNqV.exe$ vs Drawings.exe
        Source: Drawings.exe, 00000000.00000002.492827987.000000000285D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs Drawings.exe
        Source: Drawings.exe, 00000000.00000002.498121575.00000000054A0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Drawings.exe
        Source: Drawings.exe, 00000000.00000002.496952645.0000000003B81000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Drawings.exe
        Source: Drawings.exe, 00000000.00000002.496952645.0000000003B81000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Drawings.exe
        Source: Drawings.exe, 00000000.00000002.496952645.0000000003B81000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Drawings.exe
        Source: Drawings.exe, 00000000.00000002.498499658.00000000055A0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Drawings.exe
        Source: Drawings.exe, 00000000.00000002.498499658.00000000055A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Drawings.exe
        Source: Drawings.exe, 00000000.00000002.497725359.0000000004C70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLazarus.exe4 vs Drawings.exe
        Source: Drawings.exe, 00000000.00000002.490609578.0000000000770000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Drawings.exe
        Source: Drawings.exeBinary or memory string: OriginalFilenamewwNqV.exe$ vs Drawings.exe
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: security.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
        Source: Drawings.exe, type: SAMPLEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 00000000.00000002.490688463.00000000007AB000.00000004.00000020.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 00000000.00000000.477716716.0000000000042000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 00000000.00000002.489601821.0000000000042000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 00000004.00000002.529825428.000000000305C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000002.496952645.0000000003B81000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
        Source: 00000000.00000002.496952645.0000000003B81000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
        Source: 00000004.00000002.523882304.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
        Source: 00000004.00000002.523882304.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000002.495400013.00000000037E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
        Source: 00000000.00000002.495400013.00000000037E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
        Source: Process Memory Space: Drawings.exe PID: 5548, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: C:\Users\user\AppData\Roaming\jbNuzmANa.exe, type: DROPPEDMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 0.2.Drawings.exe.40000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 0.0.Drawings.exe.40000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
        Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
        Source: Drawings.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: jbNuzmANa.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/9@3/1
        Source: C:\Users\user\Desktop\Drawings.exeCode function: 0_2_050B10FA AdjustTokenPrivileges,0_2_050B10FA
        Source: C:\Users\user\Desktop\Drawings.exeCode function: 0_2_050B10C3 AdjustTokenPrivileges,0_2_050B10C3
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_04E0404A AdjustTokenPrivileges,4_2_04E0404A
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_04E04013 AdjustTokenPrivileges,4_2_04E04013
        Source: C:\Users\user\Desktop\Drawings.exeFile created: C:\Users\user\AppData\Roaming\jbNuzmANa.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Users\user\Desktop\Drawings.exeFile created: C:\Users\user\AppData\Local\Temp\tmpC81E.tmpJump to behavior
        Source: Drawings.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Drawings.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Drawings.exe, 00000000.00000002.496952645.0000000003B81000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.530039479.0000000003BE1000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
        Source: Drawings.exe, 00000000.00000002.496952645.0000000003B81000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.530039479.0000000003BE1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
        Source: Drawings.exe, 00000000.00000002.496952645.0000000003B81000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.530039479.0000000003BE1000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
        Source: Drawings.exe, 00000000.00000002.496952645.0000000003B81000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.530039479.0000000003BE1000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
        Source: Drawings.exe, 00000000.00000002.496952645.0000000003B81000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.530039479.0000000003BE1000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
        Source: Drawings.exe, 00000000.00000002.496952645.0000000003B81000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.530039479.0000000003BE1000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
        Source: Drawings.exe, 00000000.00000002.496952645.0000000003B81000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.530039479.0000000003BE1000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
        Source: Drawings.exeVirustotal: Detection: 27%
        Source: Drawings.exeReversingLabs: Detection: 27%
        Source: C:\Users\user\Desktop\Drawings.exeFile read: C:\Users\user\Desktop\Drawings.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Drawings.exe 'C:\Users\user\Desktop\Drawings.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jbNuzmANa' /XML 'C:\Users\user\AppData\Local\Temp\tmpC81E.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe {path}
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2220
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
        Source: C:\Users\user\Desktop\Drawings.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jbNuzmANa' /XML 'C:\Users\user\AppData\Local\Temp\tmpC81E.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe {path}Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2220Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: Drawings.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: C:\Users\user\Desktop\Drawings.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: Drawings.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbdWS source: MSBuild.exe, 00000004.00000002.525881056.0000000000DB0000.00000004.00000020.sdmp
        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbF source: MSBuild.exe, 00000004.00000002.525743660.0000000000D5E000.00000004.00000020.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.pdb[ source: MSBuild.exe, 00000004.00000002.525743660.0000000000D5E000.00000004.00000020.sdmp
        Source: Binary string: symbols\dll\mscorlib.pdb source: MSBuild.exe, 00000004.00000002.536856548.000000000817A000.00000004.00000010.sdmp
        Source: Binary string: mscorlib.pdb source: MSBuild.exe, 00000004.00000002.536856548.000000000817A000.00000004.00000010.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: MSBuild.exe, 00000004.00000002.525881056.0000000000DB0000.00000004.00000020.sdmp
        Source: Binary string: C:\Windows\mscorlib.pdb4 source: MSBuild.exe, 00000004.00000002.526030004.0000000002897000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.pdbHLr source: MSBuild.exe, 00000004.00000002.536856548.000000000817A000.00000004.00000010.sdmp
        Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Drawings.exe, 00000000.00000002.496952645.0000000003B81000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.529929549.000000000307E000.00000004.00000001.sdmp
        Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: MSBuild.exe, 00000004.00000002.536856548.000000000817A000.00000004.00000010.sdmp
        Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: MSBuild.exe, 00000004.00000002.526030004.0000000002897000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\mscorlib.pdb source: MSBuild.exe, 00000004.00000002.525881056.0000000000DB0000.00000004.00000020.sdmp
        Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Drawings.exe, 00000000.00000002.496952645.0000000003B81000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.530039479.0000000003BE1000.00000004.00000001.sdmp
        Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: MSBuild.exe, 00000004.00000002.536856548.000000000817A000.00000004.00000010.sdmp
        Source: Binary string: C:\Windows\dll\mscorlib.pdb source: MSBuild.exe, 00000004.00000002.526030004.0000000002897000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.525881056.0000000000DB0000.00000004.00000020.sdmp
        Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Drawings.exe, 00000000.00000002.496952645.0000000003B81000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.530039479.0000000003BE1000.00000004.00000001.sdmp
        Source: Binary string: 1&nC:\Windows\mscorlib.pdb source: MSBuild.exe, 00000004.00000002.536856548.000000000817A000.00000004.00000010.sdmp
        Source: Binary string: mscorlib.pdbmma source: MSBuild.exe, 00000004.00000002.526016551.0000000002890000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb2 source: MSBuild.exe, 00000004.00000002.526016551.0000000002890000.00000004.00000040.sdmp
        Source: Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.526030004.0000000002897000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: MSBuild.exe, 00000004.00000002.526030004.0000000002897000.00000004.00000040.sdmp
        Source: Binary string: mscorrc.pdb source: Drawings.exe, 00000000.00000002.497266654.00000000048E0000.00000002.00000001.sdmp, MSBuild.exe, 00000004.00000002.531690119.00000000050B0000.00000002.00000001.sdmp
        Source: C:\Users\user\Desktop\Drawings.exeCode function: 0_2_0004A49D push 7E0000FFh; retf 0000h0_2_0004A588
        Source: C:\Users\user\Desktop\Drawings.exeCode function: 0_2_02312EF0 push 08418B00h; ret 0_2_02312F03
        Source: C:\Users\user\Desktop\Drawings.exeCode function: 0_2_023149F0 pushad ; retf 0076h0_2_023149F5
        Source: C:\Users\user\Desktop\Drawings.exeCode function: 0_2_02314EF0 push eax; retf 0_2_02314EF1
        Source: C:\Users\user\Desktop\Drawings.exeCode function: 0_2_02314EF8 pushad ; retf 0_2_02314EF9
        Source: initial sampleStatic PE information: section name: .text entropy: 7.69176792645
        Source: initial sampleStatic PE information: section name: .text entropy: 7.69176792645
        Source: C:\Users\user\Desktop\Drawings.exeFile created: C:\Users\user\AppData\Roaming\jbNuzmANa.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jbNuzmANa' /XML 'C:\Users\user\AppData\Local\Temp\tmpC81E.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Changes the view of files in windows explorer (hidden files and folders)Show sources
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM_3Show sources
        Source: Yara matchFile source: Process Memory Space: Drawings.exe PID: 5548, type: MEMORY
        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
        Source: C:\Users\user\Desktop\Drawings.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: Drawings.exe, 00000000.00000002.492647569.00000000027E1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: Drawings.exe, 00000000.00000002.492647569.00000000027E1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEX
        Source: Drawings.exe, 00000000.00000002.492647569.00000000027E1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLD
        Source: Drawings.exe, 00000000.00000002.492647569.00000000027E1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: Drawings.exe, 00000000.00000002.492647569.00000000027E1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMED
        Source: Drawings.exe, 00000000.00000002.492647569.00000000027E1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEP
        Source: C:\Users\user\Desktop\Drawings.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0Jump to behavior
        Source: C:\Users\user\Desktop\Drawings.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: GetAdaptersInfo,4_2_04E02D72
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: GetAdaptersInfo,4_2_04E02D4A
        Source: C:\Users\user\Desktop\Drawings.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 300000Jump to behavior
        Source: C:\Users\user\Desktop\Drawings.exe TID: 5552Thread sleep time: -38000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Drawings.exe TID: 5604Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 5724Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 5828Thread sleep time: -120000s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 5832Thread sleep time: -140000s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 5840Thread sleep time: -300000s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile opened: PhysicalDrive0Jump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed