Loading ...

Play interactive tourEdit tour

Analysis Report BingUpdate.exe

Overview

General Information

Sample Name:BingUpdate.exe
Analysis ID:253888
MD5:c5394841f481ecbaa80640e168da88f4
SHA1:9e1c8c8d3761b3026a0ba2b49f79f7fccbdf29b7
SHA256:9ec8e30fe5bac7ee3e9c096fc3702286d6c0fbee3ae1fa4cd7d5a6a411b600e5

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • BingUpdate.exe (PID: 6924 cmdline: 'C:\Users\user\Desktop\BingUpdate.exe' MD5: C5394841F481ECBAA80640E168DA88F4)
    • schtasks.exe (PID: 7000 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpFC36.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MSBuild.exe (PID: 7124 cmdline: {path} MD5: D621FD77BD585874F9686D3A76462EF1)
      • schtasks.exe (PID: 4652 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpF22.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • MSBuild.exe (PID: 4484 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 0 MD5: D621FD77BD585874F9686D3A76462EF1)
    • conhost.exe (PID: 6268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.140.53.12"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
BingUpdate.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x322fd:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\&startupname&.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x322fd:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.537787954.0000000006470000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
00000005.00000002.537787954.0000000006470000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
00000005.00000002.537787954.0000000006470000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.288915967.00000000038E5000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xa89bd:$x1: NanoCore.ClientPluginHost
    • 0xdb7fd:$x1: NanoCore.ClientPluginHost
    • 0xa89fa:$x2: IClientNetworkHost
    • 0xdb83a:$x2: IClientNetworkHost
    • 0xac52d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0xdf36d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.288915967.00000000038E5000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.BingUpdate.exe.4f0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0x322fd:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      5.2.MSBuild.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      5.2.MSBuild.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      5.2.MSBuild.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        5.2.MSBuild.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        Click to see the 9 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 7124, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpFC36.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpFC36.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\BingUpdate.exe' , ParentImage: C:\Users\user\Desktop\BingUpdate.exe, ParentProcessId: 6924, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpFC36.tmp', ProcessId: 7000

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: MSBuild.exe.7124.5.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.140.53.12"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000005.00000002.537787954.0000000006470000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.288915967.00000000038E5000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.536033873.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.532580235.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.530760826.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7124, type: MEMORY
        Source: Yara matchFile source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.MSBuild.exe.6470000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.MSBuild.exe.6470000.4.unpack, type: UNPACKEDPE
        Source: global trafficTCP traffic: 192.168.2.6:49737 -> 185.140.53.12:6512
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 95.100.127.49
        Source: unknownTCP traffic detected without corresponding DNS query: 95.100.127.49
        Source: unknownTCP traffic detected without corresponding DNS query: 95.100.127.49
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 2.18.69.200
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 40.90.137.127
        Source: unknownTCP traffic detected without corresponding DNS query: 40.90.137.127
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 40.90.137.120
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownDNS traffic detected: queries for: positivemikey.myq-see.com
        Source: BingUpdate.exe, 00000000.00000002.285851923.0000000002A91000.00000004.00000001.sdmp, MSBuild.exe, 00000005.00000002.532580235.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
        Source: unknownNetwork traffic detected: HTTP traffic on port 49679 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49682
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49681
        Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49679
        Source: BingUpdate.exe, 00000000.00000002.284745891.0000000000BB9000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: MSBuild.exe, 00000005.00000002.537787954.0000000006470000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000005.00000002.537787954.0000000006470000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.288915967.00000000038E5000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.536033873.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.532580235.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.530760826.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7124, type: MEMORY
        Source: Yara matchFile source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.MSBuild.exe.6470000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.MSBuild.exe.6470000.4.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000005.00000002.537787954.0000000006470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.288915967.00000000038E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.288915967.00000000038E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.536033873.0000000003EE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.537673530.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.530760826.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.530760826.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: MSBuild.exe PID: 7124, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: MSBuild.exe PID: 7124, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.MSBuild.exe.63e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.MSBuild.exe.6470000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.MSBuild.exe.6470000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_004F4B530_2_004F4B53
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_00F1E11C0_2_00F1E11C
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_00F104A00_2_00F104A0
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_00F1D8B80_2_00F1D8B8
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_00F1B8290_2_00F1B829
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_00F1F9F80_2_00F1F9F8
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_00F119700_2_00F11970
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_00F1EA9C0_2_00F1EA9C
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_00F1AF300_2_00F1AF30
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_00F1A0580_2_00F1A058
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_00F1A0470_2_00F1A047
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_00F152A00_2_00F152A0
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_00F1E5B00_2_00F1E5B0
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_00F1D8080_2_00F1D808
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_00F1EAF40_2_00F1EAF4
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_00F1CCD00_2_00F1CCD0
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F47C480_2_04F47C48
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F48EE00_2_04F48EE0
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F477A00_2_04F477A0
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F4B2C80_2_04F4B2C8
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F422580_2_04F42258
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F45B100_2_04F45B10
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F47C390_2_04F47C39
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F41DF40_2_04F41DF4
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F41DF80_2_04F41DF8
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F42DC00_2_04F42DC0
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F495B50_2_04F495B5
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F45D8A0_2_04F45D8A
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F42D180_2_04F42D18
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F477910_2_04F47791
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F420A80_2_04F420A8
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F420980_2_04F42098
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F4184C0_2_04F4184C
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F409F70_2_04F409F7
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F409F80_2_04F409F8
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F451C00_2_04F451C0
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F4810F0_2_04F4810F
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F422490_2_04F42249
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F4D2100_2_04F4D210
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F463E80_2_04F463E8
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F41BC00_2_04F41BC0
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F41BB00_2_04F41BB0
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F463900_2_04F46390
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F45B020_2_04F45B02
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_053CBD980_2_053CBD98
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0130E4715_2_0130E471
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0130E4795_2_0130E479
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0130E4805_2_0130E480
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0130BBD45_2_0130BBD4
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_053FF5F85_2_053FF5F8
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_053FA5D05_2_053FA5D0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_053F97885_2_053F9788
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_069700405_2_06970040
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_006D400010_2_006D4000
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_006D5CF910_2_006D5CF9
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_006D214810_2_006D2148
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_006D4A2010_2_006D4A20
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_006D1A4010_2_006D1A40
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_006D213310_2_006D2133
        Source: BingUpdate.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
        Source: &startupname&.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
        Source: BingUpdate.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: &startupname&.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: BingUpdate.exeBinary or memory string: OriginalFilename vs BingUpdate.exe
        Source: BingUpdate.exe, 00000000.00000002.285481811.0000000002891000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparta.dll. vs BingUpdate.exe
        Source: BingUpdate.exe, 00000000.00000002.284745891.0000000000BB9000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs BingUpdate.exe
        Source: BingUpdate.exe, 00000000.00000000.265092047.00000000004F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUkdxr.exe, vs BingUpdate.exe
        Source: BingUpdate.exe, 00000000.00000002.291088329.0000000005410000.00000002.00000001.sdmpBinary or memory string: originalfilename vs BingUpdate.exe
        Source: BingUpdate.exe, 00000000.00000002.291088329.0000000005410000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs BingUpdate.exe
        Source: BingUpdate.exe, 00000000.00000002.291746829.0000000005F90000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs BingUpdate.exe
        Source: BingUpdate.exe, 00000000.00000002.291149291.0000000005430000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs BingUpdate.exe
        Source: BingUpdate.exeBinary or memory string: OriginalFilenameUkdxr.exe, vs BingUpdate.exe
        Source: BingUpdate.exe, type: SAMPLEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 00000005.00000002.537787954.0000000006470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.537787954.0000000006470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000000.00000002.288915967.00000000038E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.288915967.00000000038E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000000.265092047.00000000004F2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 00000000.00000002.284072854.00000000004F2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 00000005.00000002.536033873.0000000003EE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.537673530.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.537673530.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000005.00000002.530760826.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.530760826.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: MSBuild.exe PID: 7124, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: MSBuild.exe PID: 7124, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: BingUpdate.exe PID: 6924, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: C:\Users\user\AppData\Local\Temp\&startupname&.exe, type: DROPPEDMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 0.2.BingUpdate.exe.4f0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.MSBuild.exe.63e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.MSBuild.exe.63e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.0.BingUpdate.exe.4f0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 5.2.MSBuild.exe.6470000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.MSBuild.exe.6470000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.MSBuild.exe.6470000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.MSBuild.exe.6470000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: BingUpdate.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: &startupname&.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: BingUpdate.exeBinary or memory string: Deltauser.sln
        Source: MSBuild.exe, 0000000A.00000002.299620804.0000000002511000.00000004.00000001.sdmpBinary or memory string: *.sln
        Source: classification engineClassification label: mal100.troj.evad.winEXE@11/9@23/2
        Source: C:\Users\user\Desktop\BingUpdate.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BingUpdate.exe.logJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{a3641b00-65ad-4f54-82b8-4ef534f89d7c}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6268:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4920:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_01
        Source: C:\Users\user\Desktop\BingUpdate.exeFile created: C:\Users\user\AppData\Local\Temp\&startupname&.exeJump to behavior
        Source: BingUpdate.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\BingUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeFile read: C:\Users\user\Desktop\BingUpdate.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\BingUpdate.exe 'C:\Users\user\Desktop\BingUpdate.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpFC36.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpF22.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 0
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpFC36.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpF22.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: BingUpdate.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: BingUpdate.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_00F1C9C0 push esp; ret 0_2_00F1C9C1
        Source: C:\Users\user\Desktop\BingUpdate.exeCode function: 0_2_04F468D0 push esi; retf 0_2_04F468DC
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_053FB5E0 push eax; retf 5_2_053FB5ED
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_053F0331 push ecx; retf 5_2_053F0333
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_053F69F8 pushad ; retf 5_2_053F69F9
        Source: initial sampleStatic PE information: section name: .text entropy: 7.6547045909
        Source: initial sampleStatic PE information: section name: .text entropy: 7.6547045909
        Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\BingUpdate.exeFile created: C:\Users\user\AppData\Local\Temp\&startupname&.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpFC36.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM_3Show sources
        Source: Yara matchFile source: Process Memory Space: BingUpdate.exe PID: 6924, type: MEMORY
        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
        Source: C:\Users\user\Desktop\BingUpdate.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: BingUpdate.exe, 00000000.00000002.285851923.0000000002A91000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: BingUpdate.exe, 00000000.00000002.285851923.0000000002A91000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: C:\Users\user\Desktop\BingUpdate.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Jump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0Jump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 4666Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 4653Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: foregroundWindowGot 887Jump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exe TID: 6928Thread sleep time: -38000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\BingUpdate.exe TID: 6944Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4500Thread sleep time: -9223372036854770s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5948Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: BingUpdate.exe, 00000000.00000002.291467109.00000000054A0000.00000004.00000001.sdmpBinary or memory string: VMware
        Source: MSBuild.exe, 00000005.00000002.538299570.0000000006D40000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: BingUpdate.exe, 00000000.00000002.285851923.0000000002A91000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: BingUpdate.exe, 00000000.00000002.285851923.0000000002A91000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: MSBuild.exe, 00000005.00000002.532336855.00000000013FE000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
        Source: BingUpdate.exe, 00000000.00000002.285851923.0000000002A91000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: BingUpdate.exe, 00000000.00000002.285851923.0000000002A91000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
        Source: BingUpdate.exe, 00000000.00000002.291467109.00000000054A0000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareMicrosoft Basic Display AdapterWin32_VideoControllerMicrosoft Basic Display AdapterVideoController120060621000000.000000-000374064.9display.infMSBDAMicrosoft Basic Display AdapterPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsVMware
        Source: BingUpdate.exe, 00000000.00000002.285851923.0000000002A91000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: BingUpdate.exe, 00000000.00000002.285851923.0000000002A91000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: MSBuild.exe, 00000005.00000002.538299570.0000000006D40000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: MSBuild.exe, 00000005.00000002.538299570.0000000006D40000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: BingUpdate.exe, 00000000.00000002.285851923.0000000002A91000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: BingUpdate.exe, 00000000.00000002.285851923.0000000002A91000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: BingUpdate.exe, 00000000.00000002.285851923.0000000002A91000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: BingUpdate.exe, 00000000.00000002.285851923.0000000002A91000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
        Source: MSBuild.exe, 00000005.00000002.538299570.0000000006D40000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\BingUpdate.exeProcess information queried: ProcessInformation