Loading ...

Play interactive tourEdit tour

Analysis Report Diagram.exe

Overview

General Information

Sample Name:Diagram.exe
Analysis ID:251134
MD5:4f356846f7030367803453f210306628
SHA1:960fa757fdb7f628facb24b8b686f20c2fa79382
SHA256:f7cc73c4bd3b43e1c4be82c8ea43d8db9bd170acc78031e83f8c71277a2d8990

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Binary contains a suspicious time stamp
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Installs a global keyboard hook
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Stores large binary data to the registry
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Diagram.exe (PID: 4268 cmdline: 'C:\Users\user\Desktop\Diagram.exe' MD5: 4F356846F7030367803453F210306628)
    • schtasks.exe (PID: 3252 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NurSHgGUQC' /XML 'C:\Users\user\AppData\Local\Temp\tmp531A.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MSBuild.exe (PID: 4824 cmdline: {path} MD5: D621FD77BD585874F9686D3A76462EF1)
      • WerFault.exe (PID: 3228 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1900 MD5: 80E91E3C0F5563E4049B62FCAF5D67AC)
      • vbc.exe (PID: 4308 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 3972 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Diagram.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x1c9ca:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\NurSHgGUQC.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x1c9ca:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.558042903.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x10ec0e:$key: HawkEyeKeylogger
    • 0x110e52:$salt: 099u787978786
    • 0x10f24f:$string1: HawkEye_Keylogger
    • 0x1100a2:$string1: HawkEye_Keylogger
    • 0x110db2:$string1: HawkEye_Keylogger
    • 0x10f638:$string2: holdermail.txt
    • 0x10f658:$string2: holdermail.txt
    • 0x10f57a:$string3: wallet.dat
    • 0x10f592:$string3: wallet.dat
    • 0x10f5a8:$string3: wallet.dat
    • 0x110976:$string4: Keylog Records
    • 0x110c8e:$string4: Keylog Records
    • 0x110eaa:$string5: do not script -->
    • 0x10ebf6:$string6: \pidloc.txt
    • 0x10ec84:$string7: BSPLIT
    • 0x10ec94:$string7: BSPLIT
    00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x10f2a7:$hawkstr1: HawkEye Keylogger
        • 0x1100e8:$hawkstr1: HawkEye Keylogger
        • 0x110417:$hawkstr1: HawkEye Keylogger
        • 0x110572:$hawkstr1: HawkEye Keylogger
        • 0x1106d5:$hawkstr1: HawkEye Keylogger
        • 0x11094e:$hawkstr1: HawkEye Keylogger
        • 0x10ee35:$hawkstr2: Dear HawkEye Customers!
        • 0x11046a:$hawkstr2: Dear HawkEye Customers!
        • 0x1105c1:$hawkstr2: Dear HawkEye Customers!
        • 0x110728:$hawkstr2: Dear HawkEye Customers!
        • 0x10ef56:$hawkstr3: HawkEye Logger Details:
        Click to see the 25 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        11.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          10.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            11.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              0.0.Diagram.exe.130000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
              • 0x1c9ca:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
              0.2.Diagram.exe.130000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
              • 0x1c9ca:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
              Click to see the 5 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NurSHgGUQC' /XML 'C:\Users\user\AppData\Local\Temp\tmp531A.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NurSHgGUQC' /XML 'C:\Users\user\AppData\Local\Temp\tmp531A.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Diagram.exe' , ParentImage: C:\Users\user\Desktop\Diagram.exe, ParentProcessId: 4268, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NurSHgGUQC' /XML 'C:\Users\user\AppData\Local\Temp\tmp531A.tmp', ProcessId: 3252
              Sigma detected: Suspicious Process CreationShow sources
              Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: {path}, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentProcessId: 4824, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', ProcessId: 4308

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\NurSHgGUQC.exeVirustotal: Detection: 18%Perma Link
              Source: C:\Users\user\AppData\Roaming\NurSHgGUQC.exeReversingLabs: Detection: 14%
              Multi AV Scanner detection for submitted fileShow sources
              Source: Diagram.exeReversingLabs: Detection: 14%
              Source: 6.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 6.2.MSBuild.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: Diagram.exe, 00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: Diagram.exe, 00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: MSBuild.exe, 00000006.00000002.553185186.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: MSBuild.exe, 00000006.00000002.553185186.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: WerFault.exe, 00000009.00000003.523506922.00000000053A0000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: WerFault.exe, 00000009.00000003.523506922.00000000053A0000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,10_2_00408441
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,10_2_00407E0E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 04E3A630h6_2_04E3A568
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 04E3A630h6_2_04E3A559
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_04E39EF5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_04E39A2D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_04E32B75
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then call 04E3A6E8h6_2_06DA2531
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_06DA2531
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_07269F70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_07267ED0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_0726A430
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_0726AB03
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_0726A0CD
              Source: unknownDNS traffic detected: query: 233.75.3.0.in-addr.arpa replaycode: Name error (3)
              Source: Diagram.exe, 00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmp, MSBuild.exe, 00000006.00000002.556591014.0000000003921000.00000004.00000001.sdmp, vbc.exe, 0000000A.00000002.558042903.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: Diagram.exe, 00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmp, MSBuild.exe, 00000006.00000002.556591014.0000000003921000.00000004.00000001.sdmp, vbc.exe, 0000000A.00000002.558042903.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: vbc.exe, 0000000A.00000003.557386240.0000000002228000.00000004.00000001.sdmpString found in binary or memory: http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/en-us/welcomeie11/https://www.msn.com/spartan/ientp?locale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&NTLogo=1&IsFRE=1https://www.msn.com/spartan/ientpres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: vbc.exe, 0000000A.00000003.557386240.0000000002228000.00000004.00000001.sdmpString found in binary or memory: http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/en-us/welcomeie11/https://www.msn.com/spartan/ientp?locale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&NTLogo=1&IsFRE=1https://www.msn.com/spartan/ientpres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: unknownDNS traffic detected: queries for: 233.75.3.0.in-addr.arpa
              Source: Diagram.exe, 00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmp, MSBuild.exe, 00000006.00000002.556591014.0000000003921000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
              Source: Diagram.exe, 00000000.00000002.496990248.0000000005576000.00000002.00000001.sdmp, MSBuild.exe, 00000006.00000002.560434339.0000000005BB6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: Diagram.exe, 00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmp, MSBuild.exe, 00000006.00000002.556591014.0000000003921000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: WerFault.exe, 00000009.00000003.521686435.00000000056A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
              Source: WerFault.exe, 00000009.00000003.521686435.00000000056A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
              Source: WerFault.exe, 00000009.00000003.521686435.00000000056A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
              Source: WerFault.exe, 00000009.00000003.521686435.00000000056A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
              Source: WerFault.exe, 00000009.00000003.521686435.00000000056A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
              Source: WerFault.exe, 00000009.00000003.521686435.00000000056A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
              Source: WerFault.exe, 00000009.00000003.521686435.00000000056A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
              Source: Diagram.exe, 00000000.00000002.485421650.0000000002551000.00000004.00000001.sdmp, MSBuild.exe, 00000006.00000002.555339543.0000000002921000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.521686435.00000000056A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: WerFault.exe, 00000009.00000003.521686435.00000000056A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
              Source: WerFault.exe, 00000009.00000003.521686435.00000000056A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
              Source: WerFault.exe, 00000009.00000003.521686435.00000000056A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
              Source: WerFault.exe, 00000009.00000003.521686435.00000000056A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
              Source: WerFault.exe, 00000009.00000003.521686435.00000000056A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
              Source: WerFault.exe, 00000009.00000003.521686435.00000000056A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
              Source: WerFault.exe, 00000009.00000003.521686435.00000000056A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
              Source: Diagram.exe, 00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmp, MSBuild.exe, 00000006.00000002.553185186.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.523506922.00000000053A0000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
              Source: Diagram.exe, 00000000.00000002.496990248.0000000005576000.00000002.00000001.sdmp, MSBuild.exe, 00000006.00000002.560434339.0000000005BB6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: Diagram.exe, 00000000.00000002.496990248.0000000005576000.00000002.00000001.sdmp, MSBuild.exe, 00000006.00000002.560434339.0000000005BB6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: Diagram.exe, 00000000.00000002.496990248.0000000005576000.00000002.00000001.sdmp, MSBuild.exe, 00000006.00000002.560434339.0000000005BB6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: Diagram.exe, 00000000.00000002.496990248.0000000005576000.00000002.00000001.sdmp, MSBuild.exe, 00000006.00000002.560434339.0000000005BB6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: Diagram.exe, 00000000.00000002.496990248.0000000005576000.00000002.00000001.sdmp, MSBuild.exe, 00000006.00000002.560434339.0000000005BB6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: Diagram.exe, 00000000.00000002.496990248.0000000005576000.00000002.00000001.sdmp, MSBuild.exe, 00000006.00000002.560434339.0000000005BB6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: Diagram.exe, 00000000.00000002.496990248.0000000005576000.00000002.00000001.sdmp, MSBuild.exe, 00000006.00000002.560434339.0000000005BB6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: Diagram.exe, 00000000.00000002.496990248.0000000005576000.00000002.00000001.sdmp, MSBuild.exe, 00000006.00000002.560434339.0000000005BB6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: vbc.exe, 0000000B.00000002.866583198.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: Diagram.exe, 00000000.00000002.496990248.0000000005576000.00000002.00000001.sdmp, MSBuild.exe, 00000006.00000002.560434339.0000000005BB6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: Diagram.exe, 00000000.00000002.496990248.0000000005576000.00000002.00000001.sdmp, MSBuild.exe, 00000006.00000002.560434339.0000000005BB6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: Diagram.exe, 00000000.00000002.496990248.0000000005576000.00000002.00000001.sdmp, MSBuild.exe, 00000006.00000002.560434339.0000000005BB6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: MSBuild.exe, 00000006.00000002.555519038.0000000002990000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
              Source: MSBuild.exe, 00000006.00000002.560434339.0000000005BB6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: Diagram.exe, 00000000.00000002.496990248.0000000005576000.00000002.00000001.sdmp, MSBuild.exe, 00000006.00000002.560434339.0000000005BB6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: Diagram.exe, 00000000.00000002.496990248.0000000005576000.00000002.00000001.sdmp, MSBuild.exe, 00000006.00000002.560434339.0000000005BB6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Contains functionality to log keystrokes (.Net Source)Show sources
              Source: 6.2.MSBuild.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
              Contains functionality to register a low level keyboard hookShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_0726679C SetWindowsHookExA 0000000D,00000000,?,?6_2_0726679C
              Installs a global keyboard hookShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_0040D674 OpenClipboard,GetLastError,DeleteFileW,10_2_0040D674
              Source: Diagram.exe, 00000000.00000002.481421927.00000000008EA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000009.00000003.523506922.00000000053A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000009.00000003.523506922.00000000053A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000003.478357330.0000000003945000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000003.478357330.0000000003945000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000006.00000002.553185186.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000006.00000002.553185186.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000006.00000002.556351213.0000000002BBE000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_06DA434C NtResumeThread,6_2_06DA434C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_06DA4364 NtWriteVirtualMemory,6_2_06DA4364
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_06DA431C NtSetContextThread,6_2_06DA431C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_06DA8CE8 NtWriteVirtualMemory,6_2_06DA8CE8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_06DA8DA0 NtSetContextThread,6_2_06DA8DA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_06DA42F8 NtResumeThread,6_2_06DA42F8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_06DA8B88 NtResumeThread,6_2_06DA8B88
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_06DA4310 NtWriteVirtualMemory,6_2_06DA4310
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_06DA4334 NtResumeThread,6_2_06DA4334
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_06DA4328 NtSetContextThread,6_2_06DA4328
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,FreeLibrary,10_2_00408836
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmpJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeCode function: 0_2_0013920C0_2_0013920C
              Source: C:\Users\user\Desktop\Diagram.exeCode function: 0_2_001320500_2_00132050
              Source: C:\Users\user\Desktop\Diagram.exeCode function: 0_2_00BFC1640_2_00BFC164
              Source: C:\Users\user\Desktop\Diagram.exeCode function: 0_2_00BFE5B00_2_00BFE5B0
              Source: C:\Users\user\Desktop\Diagram.exeCode function: 0_2_00BFE5A00_2_00BFE5A0
              Source: C:\Users\user\Desktop\Diagram.exeCode function: 0_2_070909100_2_07090910
              Source: C:\Users\user\Desktop\Diagram.exeCode function: 0_2_070900400_2_07090040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_00F3B29C6_2_00F3B29C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_00F3C3106_2_00F3C310
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_00F3C5606_2_00F3C560
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_00F399D06_2_00F399D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_00F3DFD06_2_00F3DFD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_04E3DA056_2_04E3DA05
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_06DA26A86_2_06DA26A8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_06DA25316_2_06DA2531
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_06DA4B386_2_06DA4B38
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_06DA00406_2_06DA0040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_06DA58796_2_06DA5879
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_06DA81C06_2_06DA81C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_07265EB86_2_07265EB8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_072655E86_2_072655E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_0726A4406_2_0726A440
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_0726B4806_2_0726B480
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_07269B506_2_07269B50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_072692E86_2_072692E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_0726B47F6_2_0726B47F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_07269B206_2_07269B20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_072652A06_2_072652A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_0726001F6_2_0726001F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_0040441910_2_00404419
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_0040451610_2_00404516
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_0041353810_2_00413538
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_004145A110_2_004145A1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_0040E63910_2_0040E639
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_004337AF10_2_004337AF
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_004399B110_2_004399B1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_0043DAE710_2_0043DAE7
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00405CF610_2_00405CF6
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00403F8510_2_00403F85
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00411F9910_2_00411F99
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1900
              Source: Diagram.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: NurSHgGUQC.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: Diagram.exe, 00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Diagram.exe
              Source: Diagram.exe, 00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Diagram.exe
              Source: Diagram.exe, 00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Diagram.exe
              Source: Diagram.exe, 00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs Diagram.exe
              Source: Diagram.exe, 00000000.00000002.479531894.00000000001D6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEPnCf.exe" vs Diagram.exe
              Source: Diagram.exe, 00000000.00000002.481421927.00000000008EA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Diagram.exe
              Source: Diagram.exe, 00000000.00000002.503355743.0000000008C70000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Diagram.exe
              Source: Diagram.exe, 00000000.00000002.503355743.0000000008C70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Diagram.exe
              Source: Diagram.exe, 00000000.00000002.502496503.0000000008B80000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Diagram.exe
              Source: Diagram.exe, 00000000.00000002.485421650.0000000002551000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparta.dll. vs Diagram.exe
              Source: Diagram.exe, 00000000.00000002.485421650.0000000002551000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLazarus.exe4 vs Diagram.exe
              Source: Diagram.exeBinary or memory string: OriginalFilenameEPnCf.exe" vs Diagram.exe
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: Diagram.exe, type: SAMPLEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
              Source: 00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000009.00000003.523506922.00000000053A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000009.00000003.523506922.00000000053A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000003.478357330.0000000003945000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000003.478357330.0000000003945000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000006.00000002.553185186.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000006.00000002.553185186.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000000.444329925.0000000000132000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
              Source: 00000006.00000002.556351213.0000000002BBE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.478982858.0000000000132000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
              Source: Process Memory Space: Diagram.exe PID: 4268, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
              Source: C:\Users\user\AppData\Roaming\NurSHgGUQC.exe, type: DROPPEDMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
              Source: 0.0.Diagram.exe.130000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
              Source: 0.2.Diagram.exe.130000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
              Source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: Diagram.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: NurSHgGUQC.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: 6.2.MSBuild.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 6.2.MSBuild.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 6.2.MSBuild.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 6.2.MSBuild.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
              Source: 6.2.MSBuild.exe.400000.0.unpack, Form1.csBase64 encoded string: 'jLDFXdPp/aSqMg8c6nmqYAnMHqu4RKPQmOX0IzUJgPUsVuhoSdvgoW9ev7/V5wH4fXvuYswWQ/LZ+ye1hqPRZw==', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
              Source: WerFault.exe, 00000009.00000002.546241353.0000000000D40000.00000002.00000001.sdmpBinary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
              Source: WerFault.exe, 00000009.00000002.546241353.0000000000D40000.00000002.00000001.sdmpBinary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
              Source: WerFault.exe, 00000009.00000002.546241353.0000000000D40000.00000002.00000001.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
              Source: WerFault.exe, 00000009.00000002.546241353.0000000000D40000.00000002.00000001.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD
              Source: WerFault.exe, 00000009.00000002.546241353.0000000000D40000.00000002.00000001.sdmpBinary or memory string: *.sln
              Source: WerFault.exe, 00000009.00000002.546241353.0000000000D40000.00000002.00000001.sdmpBinary or memory string: MSBuild MyApp.csproj /t:Clean
              Source: WerFault.exe, 00000009.00000002.546241353.0000000000D40000.00000002.00000001.sdmpBinary or memory string: /ignoreprojectextensions:.sln
              Source: WerFault.exe, 00000009.00000002.546241353.0000000000D40000.00000002.00000001.sdmpBinary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/11@1/0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,10_2_00415AFD
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,10_2_00415F87
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,10_2_00411196
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00411EF8 FindResourceW,SizeofResource,LoadResource,LockResource,10_2_00411EF8
              Source: C:\Users\user\Desktop\Diagram.exeFile created: C:\Users\user\AppData\Roaming\NurSHgGUQC.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2948:120:WilError_01
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4824
              Source: C:\Users\user\Desktop\Diagram.exeFile created: C:\Users\user\AppData\Local\Temp\tmp531A.tmpJump to behavior
              Source: Diagram.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Diagram.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Diagram.exe, 00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmp, MSBuild.exe, 00000006.00000002.556591014.0000000003921000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: Diagram.exe, 00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmp, MSBuild.exe, 00000006.00000002.556591014.0000000003921000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: Diagram.exe, 00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmp, MSBuild.exe, 00000006.00000002.556591014.0000000003921000.00000004.00000001.sdmp, vbc.exe, 0000000A.00000002.558042903.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: Diagram.exe, 00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmp, MSBuild.exe, 00000006.00000002.556591014.0000000003921000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: Diagram.exe, 00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmp, MSBuild.exe, 00000006.00000002.556591014.0000000003921000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: Diagram.exe, 00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmp, MSBuild.exe, 00000006.00000002.556591014.0000000003921000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: Diagram.exe, 00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmp, MSBuild.exe, 00000006.00000002.556591014.0000000003921000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: Diagram.exeReversingLabs: Detection: 14%
              Source: C:\Users\user\Desktop\Diagram.exeFile read: C:\Users\user\Desktop\Diagram.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\Diagram.exe 'C:\Users\user\Desktop\Diagram.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NurSHgGUQC' /XML 'C:\Users\user\AppData\Local\Temp\tmp531A.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1900
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
              Source: C:\Users\user\Desktop\Diagram.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NurSHgGUQC' /XML 'C:\Users\user\AppData\Local\Temp\tmp531A.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: Diagram.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: Diagram.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Diagram.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: shell32.pdb+kB source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: anagement.pdb source: WerFault.exe, 00000009.00000003.526654540.000000000523C000.00000004.00000001.sdmp
              Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: msctf.pdb7] source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000009.00000003.526654540.000000000523C000.00000004.00000001.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000009.00000003.523506922.00000000053A0000.00000004.00000001.sdmp
              Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.526582374.00000000050B1000.00000004.00000001.sdmp
              Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 00000009.00000003.526654540.000000000523C000.00000004.00000001.sdmp
              Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.526274612.0000000005222000.00000004.00000040.sdmp
              Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: cryptsp.pdbYkp source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.526582374.00000000050B1000.00000004.00000001.sdmp
              Source: Binary string: mscorlib.pdbntermediate\ndp_msbuild\xma source: MSBuild.exe, 00000006.00000002.562613308.0000000007BFB000.00000004.00000010.sdmp
              Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.526582374.00000000050B1000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.526582374.00000000050B1000.00000004.00000001.sdmp
              Source: Binary string: ml.pdb source: WerFault.exe, 00000009.00000003.526654540.000000000523C000.00000004.00000001.sdmp
              Source: Binary string: winnsi.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: .ni.pdb source: WerFault.exe, 00000009.00000003.526654540.000000000523C000.00000004.00000001.sdmp
              Source: Binary string: clr.pdb source: WerFault.exe, 00000009.00000003.526927351.0000000005220000.00000004.00000040.sdmp
              Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 00000009.00000003.526654540.000000000523C000.00000004.00000001.sdmp
              Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.526582374.00000000050B1000.00000004.00000001.sdmp
              Source: Binary string: ility.pdb source: WerFault.exe, 00000009.00000003.526654540.000000000523C000.00000004.00000001.sdmp
              Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.526582374.00000000050B1000.00000004.00000001.sdmp
              Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: wimm32.pdb!kH source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000009.00000003.523506922.00000000053A0000.00000004.00000001.sdmp, WER8584.tmp.dmp.9.dr
              Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000009.00000003.523506922.00000000053A0000.00000004.00000001.sdmp
              Source: Binary string: fltLib.pdb5k\ source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.526582374.00000000050B1000.00000004.00000001.sdmp
              Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.526274612.0000000005222000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp, WER8584.tmp.dmp.9.dr
              Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: WerFault.exe, 00000009.00000002.546241353.0000000000D40000.00000002.00000001.sdmp
              Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Diagram.exe, 00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmp, MSBuild.exe, 00000006.00000002.562060128.0000000006DD0000.00000004.00000001.sdmp
              Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Diagram.exe, 00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmp, MSBuild.exe, 00000006.00000002.556591014.0000000003921000.00000004.00000001.sdmp, vbc.exe, 0000000B.00000002.866583198.0000000000400000.00000040.00000001.sdmp
              Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000009.00000003.523506922.00000000053A0000.00000004.00000001.sdmp
              Source: Binary string: dnsapi.pdb%] source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: MSBuild.exe, 00000006.00000002.562613308.0000000007BFB000.00000004.00000010.sdmp
              Source: Binary string: mscoree.pdb source: WerFault.exe, 00000009.00000003.526582374.00000000050B1000.00000004.00000001.sdmp
              Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: wwin32u.pdbEkl source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000009.00000003.523506922.00000000053A0000.00000004.00000001.sdmp
              Source: Binary string: symbols\dll\mscorlib.pdb source: MSBuild.exe, 00000006.00000002.562613308.0000000007BFB000.00000004.00000010.sdmp
              Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000009.00000003.526274612.0000000005222000.00000004.00000040.sdmp
              Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: System.Management.ni.pdbRSDSJ source: WER8584.tmp.dmp.9.dr
              Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.526274612.0000000005222000.00000004.00000040.sdmp
              Source: Binary string: dwmapi.pdbk source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: winrnr.pdby\ source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdbRSDS source: WER8584.tmp.dmp.9.dr
              Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000009.00000003.526331311.000000000523B000.00000004.00000001.sdmp, WER8584.tmp.dmp.9.dr
              Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdb` source: WerFault.exe, 00000009.00000003.523506922.00000000053A0000.00000004.00000001.sdmp
              Source: Binary string: rCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000009.00000002.541745211.0000000000752000.00000004.00000010.sdmp
              Source: Binary string: comctl32.pdb/] source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdb source: MSBuild.exe, 00000006.00000002.562613308.0000000007BFB000.00000004.00000010.sdmp, WerFault.exe, 00000009.00000003.526331311.000000000523B000.00000004.00000001.sdmp, WER8584.tmp.dmp.9.dr
              Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: DWrite.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000009.00000003.526331311.000000000523B000.00000004.00000001.sdmp, WER8584.tmp.dmp.9.dr
              Source: Binary string: System.Management.pdb source: WerFault.exe, 00000009.00000003.526331311.000000000523B000.00000004.00000001.sdmp, WER8584.tmp.dmp.9.dr
              Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.526274612.0000000005222000.00000004.00000040.sdmp
              Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: wbemsvc.pdbM\ source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: System.Management.ni.pdb source: WerFault.exe, 00000009.00000003.526331311.000000000523B000.00000004.00000001.sdmp, WER8584.tmp.dmp.9.dr
              Source: Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDBX source: MSBuild.exe, 00000006.00000002.562613308.0000000007BFB000.00000004.00000010.sdmp
              Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER8584.tmp.dmp.9.dr
              Source: Binary string: Microsoft.VisualBasic.pdbLk source: WER8584.tmp.dmp.9.dr
              Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000009.00000003.523506922.00000000053A0000.00000004.00000001.sdmp
              Source: Binary string: System.Xml.ni.pdbRSDS source: WER8584.tmp.dmp.9.dr
              Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000009.00000003.526654540.000000000523C000.00000004.00000001.sdmp
              Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: System.Xml.ni.pdb< source: WerFault.exe, 00000009.00000003.523506922.00000000053A0000.00000004.00000001.sdmp
              Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000009.00000003.526331311.000000000523B000.00000004.00000001.sdmp, WER8584.tmp.dmp.9.dr
              Source: Binary string: powrprof.pdb?kV source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: rawing.pdb source: WerFault.exe, 00000009.00000003.526654540.000000000523C000.00000004.00000001.sdmp
              Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000009.00000003.523506922.00000000053A0000.00000004.00000001.sdmp
              Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: System.Management.pdbv source: WerFault.exe, 00000009.00000003.526331311.000000000523B000.00000004.00000001.sdmp
              Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000009.00000003.523506922.00000000053A0000.00000004.00000001.sdmp
              Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000009.00000003.526274612.0000000005222000.00000004.00000040.sdmp
              Source: Binary string: .pdb/ source: MSBuild.exe, 00000006.00000002.562613308.0000000007BFB000.00000004.00000010.sdmp
              Source: Binary string: System.ni.pdb<3 source: WerFault.exe, 00000009.00000003.523506922.00000000053A0000.00000004.00000001.sdmp
              Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.526927351.0000000005220000.00000004.00000040.sdmp
              Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: ore.pdbE source: WerFault.exe, 00000009.00000003.526654540.000000000523C000.00000004.00000001.sdmp
              Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000009.00000003.526331311.000000000523B000.00000004.00000001.sdmp, WER8584.tmp.dmp.9.dr
              Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: oleaut32.pdb3kZ source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.526927351.0000000005220000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdb4 source: WerFault.exe, 00000009.00000003.523506922.00000000053A0000.00000004.00000001.sdmp
              Source: Binary string: _ .pdbp source: MSBuild.exe, 00000006.00000002.562613308.0000000007BFB000.00000004.00000010.sdmp
              Source: Binary string: System.pdb&& source: WerFault.exe, 00000009.00000003.526654540.000000000523C000.00000004.00000001.sdmp
              Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: version.pdbw source: WerFault.exe, 00000009.00000003.526966650.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: gdiplus.pdb[] source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: System.pdbx source: WerFault.exe, 00000009.00000003.523506922.00000000053A0000.00000004.00000001.sdmp
              Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: onfiguration.pdb_ source: WerFault.exe, 00000009.00000003.526654540.000000000523C000.00000004.00000001.sdmp
              Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000009.00000003.526331311.000000000523B000.00000004.00000001.sdmp, WER8584.tmp.dmp.9.dr
              Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.526927351.0000000005220000.00000004.00000040.sdmp
              Source: Binary string: anagement.ni.pdb source: WerFault.exe, 00000009.00000003.526654540.000000000523C000.00000004.00000001.sdmp
              Source: Binary string: dhcpcsvc.pdb#] source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.526582374.00000000050B1000.00000004.00000001.sdmp
              Source: Binary string: System.ni.pdbRSDS source: WER8584.tmp.dmp.9.dr
              Source: Binary string: clrjit.pdb source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: iphlpapi.pdbQ] source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000009.00000003.526331311.000000000523B000.00000004.00000001.sdmp, WER8584.tmp.dmp.9.dr
              Source: Binary string: fastprox.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: winrnr.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Diagram.exe, 00000000.00000002.491940847.000000000380F000.00000004.00000001.sdmp, MSBuild.exe, 00000006.00000002.556591014.0000000003921000.00000004.00000001.sdmp, vbc.exe
              Source: Binary string: ws2_32.pdb-kD source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000009.00000003.526331311.000000000523B000.00000004.00000001.sdmp, WER8584.tmp.dmp.9.dr
              Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: version.pdb source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: onfiguration.pdb source: WerFault.exe, 00000009.00000003.526654540.000000000523C000.00000004.00000001.sdmp
              Source: Binary string: System.Core.pdbH source: WER8584.tmp.dmp.9.dr
              Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000009.00000003.526331311.000000000523B000.00000004.00000001.sdmp, WER8584.tmp.dmp.9.dr
              Source: Binary string: System.pdb source: WerFault.exe, 00000009.00000003.526654540.000000000523C000.00000004.00000001.sdmp, WER8584.tmp.dmp.9.dr
              Source: Binary string: ore.ni.pdb source: WerFault.exe, 00000009.00000003.526654540.000000000523C000.00000004.00000001.sdmp
              Source: Binary string: ore.pdb source: WerFault.exe, 00000009.00000003.526654540.000000000523C000.00000004.00000001.sdmp
              Source: Binary string: i0C:\Windows\mscorlib.pdb source: MSBuild.exe, 00000006.00000002.562613308.0000000007BFB000.00000004.00000010.sdmp
              Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000009.00000003.526654540.000000000523C000.00000004.00000001.sdmp, WER8584.tmp.dmp.9.dr
              Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.526927351.0000000005220000.00000004.00000040.sdmp
              Source: Binary string: psapi.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.526582374.00000000050B1000.00000004.00000001.sdmp
              Source: Binary string: winnsi.pdb9] source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000009.00000003.523506922.00000000053A0000.00000004.00000001.sdmp
              Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.526582374.00000000050B1000.00000004.00000001.sdmp
              Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000009.00000003.526274612.0000000005222000.00000004.00000040.sdmp
              Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000009.00000003.523506922.00000000053A0000.00000004.00000001.sdmp
              Source: Binary string: System.Core.pdb source: WerFault.exe, 00000009.00000003.526331311.000000000523B000.00000004.00000001.sdmp, WER8584.tmp.dmp.9.dr
              Source: Binary string: combase.pdbk source: WerFault.exe, 00000009.00000003.526274612.0000000005222000.00000004.00000040.sdmp
              Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: wUxTheme.pdbCkj source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000009.00000003.523506922.00000000053A0000.00000004.00000001.sdmp
              Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: WerFault.exe, 00000009.00000002.546241353.0000000000D40000.00000002.00000001.sdmp
              Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: untime.Remoting.pdb source: WerFault.exe, 00000009.00000003.526654540.000000000523C000.00000004.00000001.sdmp
              Source: Binary string: comctl32.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: System.ni.pdb source: WerFault.exe, 00000009.00000003.526654540.000000000523C000.00000004.00000001.sdmp, WER8584.tmp.dmp.9.dr
              Source: Binary string: wmswsock.pdbWk~ source: WerFault.exe, 00000009.00000003.526292577.000000000522B000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdbRSDS source: WER8584.tmp.dmp.9.dr
              Source: Binary string: edputil.pdb source: WerFault.exe, 00000009.00000003.526212422.000000000522E000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdbR\ source: WER8584.tmp.dmp.9.dr

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: 6.2.MSBuild.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 6.2.MSBuild.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 6.2.MSBuild.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 6.2.MSBuild.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Binary contains a suspicious time stampShow sources
              Source: initial sampleStatic PE information: 0xA4DC3335 [Fri Aug 24 16:00:53 2057 UTC]
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_004422C7
              Source: C:\Users\user\Desktop\Diagram.exeCode function: 0_2_00132818 push eax; ret 0_2_00132819
              Source: C:\Users\user\Desktop\Diagram.exeCode function: 0_2_001327C3 push eax; ret 0_2_001327C4
              Source: C:\Users\user\Desktop\Diagram.exeCode function: 0_2_07094C15 push FFFFFF8Bh; iretd 0_2_07094C17
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_04E3120F push dword ptr [edx+edx-75h]; iretd 6_2_04E311F6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_04E3AC12 pushfd ; ret 6_2_04E3AC21
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_04E3CE3F push ecx; ret 6_2_04E3CE95
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_0726D1A9 push esp; retf 6_2_0726D1AA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_07268084 push eax; retn 04E2h6_2_07268089
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00442871 push ecx; ret 10_2_00442881
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00442A90 push eax; ret 10_2_00442AA4
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00442A90 push eax; ret 10_2_00442ACC
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00446E54 push eax; ret 10_2_00446E61
              Source: initial sampleStatic PE information: section name: .text entropy: 7.91719574867
              Source: initial sampleStatic PE information: section name: .text entropy: 7.91719574867
              Source: C:\Users\user\Desktop\Diagram.exeFile created: C:\Users\user\AppData\Roaming\NurSHgGUQC.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NurSHgGUQC' /XML 'C:\Users\user\AppData\Local\Temp\tmp531A.tmp'

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Changes the view of files in windows explorer (hidden files and folders)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00441975 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_00441975
              Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000000.00000002.485421650.0000000002551000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Diagram.exe PID: 4268, type: MEMORY
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\Diagram.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: Diagram.exe, 00000000.00000002.485421650.0000000002551000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: Diagram.exe, 00000000.00000002.485421650.0000000002551000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\Diagram.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0Jump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,FreeLibrary,10_2_00408836
              Source: C:\Users\user\Desktop\Diagram.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 300000Jump to behavior
              Source: C:\Users\user\Desktop\Diagram.exe TID: 1224Thread sleep time: -38000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exe TID: 2932Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4612Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1160Thread sleep time: -120000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1168Thread sleep time: -140000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1096Thread sleep time: -300000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,10_2_00408441
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,10_2_00407E0E
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_004161B0 memset,GetSystemInfo,10_2_004161B0
              Source: WerFault.exe, 00000009.00000002.550845401.0000000004E20000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: Diagram.exe, 00000000.00000002.485421650.0000000002551000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: Diagram.exe, 00000000.00000002.485421650.0000000002551000.00000004.00000001.sdmpBinary or memory string: k%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: Diagram.exe, 00000000.00000002.485421650.0000000002551000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: Diagram.exe, 00000000.00000002.485421650.0000000002551000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
              Source: WerFault.exe, 00000009.00000002.550525497.0000000004B20000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
              Source: Diagram.exe, 00000000.00000002.485421650.0000000002551000.00000004.00000001.sdmpBinary or memory string: VMWARE
              Source: WerFault.exe, 00000009.00000002.550845401.0000000004E20000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: WerFault.exe, 00000009.00000002.550637802.0000000004B65000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW,
              Source: WerFault.exe, 00000009.00000002.550845401.0000000004E20000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: Diagram.exe, 00000000.00000002.485421650.0000000002551000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: Diagram.exe, 00000000.00000002.485421650.0000000002551000.00000004.00000001.sdmpBinary or memory string: k"SOFTWARE\VMware, Inc.\VMware Tools
              Source: WerFault.exe, 00000009.00000002.550845401.0000000004E20000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_0726BD40 LdrInitializeThunk,6_2_0726BD40
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,FreeLibrary,10_2_00408836
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_004422C7
              Source: C:\Users\user\Desktop\Diagram.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              .NET source code references suspicious native API functionsShow sources
              Source: 6.2.MSBuild.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 6.2.MSBuild.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
              Sample uses process hollowing techniqueShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NurSHgGUQC' /XML 'C:\Users\user\AppData\Local\Temp\tmp531A.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Users\user\Desktop\Diagram.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Diagram.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJu