Windows Analysis Report
Ycj3d5NMhc.exe

Overview

General Information

Sample name: Ycj3d5NMhc.exe
renamed because original name is a hash value
Original sample name: c269ec6cc10cfa210817133e43becae40004a1ddb2220646cddf8a3165bf4269.exe
Analysis ID: 1483417
MD5: 10da3cc4689926de08a0ba47481acead
SHA1: 37d4b0ce7114c0cc427705f35430656bc3d4c049
SHA256: c269ec6cc10cfa210817133e43becae40004a1ddb2220646cddf8a3165bf4269
Tags: exeinvestdirectinsurance-com
Infos:

Detection

Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Sigma detected: Silenttrinity Stager Msbuild Activity
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Ycj3d5NMhc.exe ReversingLabs: Detection: 23%
Source: Ycj3d5NMhc.exe Virustotal: Detection: 9% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: unknown HTTPS traffic detected: 104.21.65.79:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: Ycj3d5NMhc.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Administrator\Desktop\Outputs\Evop.pdb source: Ycj3d5NMhc.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 00EBA7FCh 3_2_00EBA5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 00EBA80Fh 3_2_00EBA5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 059D9ED4h 3_2_059D9B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov ecx, dword ptr [ebp-000000C4h] 3_2_059DAD6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 3_2_059DC19F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 3_2_059D3A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 3_2_059D3A7E
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:49710 -> 79.110.49.176:2233
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View IP Address: 34.117.59.81 34.117.59.81
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /assuence/litesolidCha/Victim_SID.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /assuence/litesolidCha/Zopi.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Code function: 0_2_00007FFB4B05164D InternetReadFile, 0_2_00007FFB4B05164D
Source: global traffic HTTP traffic detected: GET /assuence/litesolidCha/Victim_SID.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /assuence/litesolidCha/Zopi.bd HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: investdirectinsurance.com
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: MSBuild.exe, 00000003.00000002.1523018849.0000000002941000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Ycj3d5NMhc.exe, 00000000.00000002.1490044573.0000000012689000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1523018849.000000000298A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1523018849.0000000002BBA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1521055612.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/users/
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Ycj3d5NMhc.exe, 00000000.00000002.1487067677.00000000008A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://investdirectinsurance.com/
Source: Ycj3d5NMhc.exe String found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd
Source: Ycj3d5NMhc.exe, 00000000.00000002.1487067677.0000000000857000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd4
Source: Ycj3d5NMhc.exe, 00000000.00000002.1487067677.0000000000857000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bdP
Source: Ycj3d5NMhc.exe, 00000000.00000002.1487067677.0000000000857000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bdj
Source: Ycj3d5NMhc.exe String found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Zopi.bd
Source: Ycj3d5NMhc.exe, 00000000.00000002.1490876841.000000001B618000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://investdirectinsurance.com/m
Source: MSBuild.exe, 00000003.00000002.1523018849.0000000002941000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io
Source: Ycj3d5NMhc.exe, 00000000.00000002.1490044573.0000000012689000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1523018849.0000000002941000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1521055612.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/json
Source: MSBuild.exe, 00000003.00000002.1523018849.000000000298A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1523018849.0000000002986000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1523018849.0000000002AA9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/missingauth
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1525299232.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown HTTPS traffic detected: 104.21.65.79:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.8:49709 version: TLS 1.2
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00EBD3C0 NtWow64QueryInformationProcess64, 3_2_00EBD3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00EBDD94 NtWow64ReadVirtualMemory64, 3_2_00EBDD94
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00EBD3B8 NtWow64QueryInformationProcess64, 3_2_00EBD3B8
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00EBA92A 3_2_00EBA92A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00EBC2B0 3_2_00EBC2B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00EBE4F0 3_2_00EBE4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00EB26F2 3_2_00EB26F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00EBD6D0 3_2_00EBD6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00EB1FF8 3_2_00EB1FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00EB8FF7 3_2_00EB8FF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00EB9782 3_2_00EB9782
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00EBE061 3_2_00EBE061
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00EBE070 3_2_00EBE070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00EBE4E0 3_2_00EBE4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00EBD6C0 3_2_00EBD6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05923F50 3_2_05923F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05926868 3_2_05926868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0592CBC8 3_2_0592CBC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05926FF8 3_2_05926FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05926FE8 3_2_05926FE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05999430 3_2_05999430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05995868 3_2_05995868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_05997AB0 3_2_05997AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0599EAE8 3_2_0599EAE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_059DD598 3_2_059DD598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_059D55F0 3_2_059D55F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_059D24B0 3_2_059D24B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_059D3CF2 3_2_059D3CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_059D7F48 3_2_059D7F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_059DBE88 3_2_059DBE88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_059D06F0 3_2_059D06F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_059D5E20 3_2_059D5E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_059D2E5F 3_2_059D2E5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_059D8E52 3_2_059D8E52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_059DF8C0 3_2_059DF8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_059D58C2 3_2_059D58C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_059D9B28 3_2_059D9B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_059DB320 3_2_059DB320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_059D4348 3_2_059D4348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_059D8A8F 3_2_059D8A8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_059D0D90 3_2_059D0D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_059DD589 3_2_059DD589
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_059D24A0 3_2_059D24A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_059D06E0 3_2_059D06E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_059DA640 3_2_059DA640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_059DBE78 3_2_059DBE78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_059DC19F 3_2_059DC19F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_059DD378 3_2_059DD378
Sample file is different than original file name gathered from version info
Source: Ycj3d5NMhc.exe, 00000000.00000002.1490044573.0000000012689000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameStyxStealer.exe8 vs Ycj3d5NMhc.exe
Source: Ycj3d5NMhc.exe, 00000000.00000002.1489951347.00000000026A2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamegh2q.dll4 vs Ycj3d5NMhc.exe
Source: Ycj3d5NMhc.exe, 00000000.00000002.1490715904.000000001AFC0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamegh2q.dll4 vs Ycj3d5NMhc.exe
Source: Ycj3d5NMhc.exe, 00000000.00000002.1489951347.0000000002681000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameStyxStealer.exe8 vs Ycj3d5NMhc.exe
Source: classification engine Classification label: mal96.spyw.evad.winEXE@7/5@2/3
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\Victim_SID[1].bd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1904:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:120:WilError_03
Source: Ycj3d5NMhc.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Ycj3d5NMhc.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: MSBuild.exe, 00000003.00000002.1523018849.0000000002A6A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1523018849.0000000002E10000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Ycj3d5NMhc.exe ReversingLabs: Detection: 23%
Source: Ycj3d5NMhc.exe Virustotal: Detection: 9%
Source: unknown Process created: C:\Users\user\Desktop\Ycj3d5NMhc.exe "C:\Users\user\Desktop\Ycj3d5NMhc.exe"
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "wmic" csproduct get UUID
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "wmic" csproduct get UUID Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Ycj3d5NMhc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Ycj3d5NMhc.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Ycj3d5NMhc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Administrator\Desktop\Outputs\Evop.pdb source: Ycj3d5NMhc.exe

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Ycj3d5NMhc.exe, PreventFromWeb.cs .Net Code: FOBDestination System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0592BFC9 push 9C058843h; retf 3_2_0592BFD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_059D0C03 push eax; mov dword ptr [esp], ecx 3_2_059D0C14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_059D22D3 push eax; mov dword ptr [esp], ecx 3_2_059D22E4
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FFBCB7AD6E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FFBCB7AD504
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FFBCB7ADA04
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FFBCB7AD6C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FFBCB7ADAA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FFBCB7AD0E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FFBCB7AD784
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FFBCB7AD384
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FFBCB7AD424
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FFBCB7AE654
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FFBCB7AD304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FFBCB7AD924
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FFBCB7AD244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FFBCB7AD2E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FFBCB7AD7A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FFBCB7AD664
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FFBCB7AD944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FFBCB7AD744
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FFBCB7AF3F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FFBCB7AF314
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FFBCB7AD544
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API/Special instruction interceptor: Address: 7FFBCB7AD1A4
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Memory allocated: D10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Memory allocated: 1A680000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2940000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 4940000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 623 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 2959 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe TID: 4540 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3840 Thread sleep time: -13835058055282155s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5964 Thread sleep count: 623 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5964 Thread sleep count: 2959 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2340 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 964 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1996 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696494690f
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696494690
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696494690s
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: Ycj3d5NMhc.exe, 00000000.00000002.1487067677.0000000000857000.00000004.00000020.00020000.00000000.sdmp, Ycj3d5NMhc.exe, 00000000.00000002.1490876841.000000001B618000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: MSBuild.exe, 00000003.00000002.1530669703.0000000006FC0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696494690o
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: MSBuild.exe, 00000003.00000002.1521409264.0000000000C07000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696494690j
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696494690
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: MSBuild.exe, 00000003.00000002.1525299232.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00EBC038 LdrInitializeThunk, 3_2_00EBC038
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: Ycj3d5NMhc.exe, ThemeManager.cs Reference to suspicious API methods: Application.Current.TryFindResource((object)new ComponentResourceKey(typeof(NavigationPane), (object)"ActiveTheme"))
Source: 0.2.Ycj3d5NMhc.exe.12689ac0.2.raw.unpack, ParentProcessUtil.cs Reference to suspicious API methods: NativeMethods.OpenProcess(PROCESS_QUERY_INFORMATION, bInheritHandle: false, (uint)id)
Source: 0.2.Ycj3d5NMhc.exe.12689ac0.2.raw.unpack, FireFoxDecryptor.cs Reference to suspicious API methods: KernelLoadLibrary64(GeckoResourcePath + "nss3.dll")
Source: 0.2.Ycj3d5NMhc.exe.12689ac0.2.raw.unpack, FireFoxDecryptor.cs Reference to suspicious API methods: HeavensGate.GetProcAddress64(NSS3, "NSS_Init")
Source: 0.2.Ycj3d5NMhc.exe.12689ac0.2.raw.unpack, FireFoxDecryptor.cs Reference to suspicious API methods: HeavensGate.GetProcAddress64(num, "VirtualProtectEx")
Source: 0.2.Ycj3d5NMhc.exe.12689ac0.2.raw.unpack, FireFoxDecryptor.cs Reference to suspicious API methods: HeavensGate.GetProcAddress64(num, "WriteProcessMemory")
Source: 0.2.Ycj3d5NMhc.exe.12689ac0.2.raw.unpack, HeavensGateProcessor.cs Reference to suspicious API methods: NativeMethods.ReadProcessMemory(lpTargetHandle, (uint)processParameters, intPtr, (uint)Marshal.SizeOf(typeof(ulong)), ref lpNumberOfBytesRead)
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 430000 Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 432000 Jump to behavior
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 983008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "wmic" csproduct get UUID Jump to behavior
Queries the product ID of Windows
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Ycj3d5NMhc.exe Queries volume information: C:\Users\user\Desktop\Ycj3d5NMhc.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Ycj3d5NMhc.exe, 00000000.00000002.1490044573.0000000012689000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ElectrumLTC_config_file
Source: Ycj3d5NMhc.exe, 00000000.00000002.1490044573.0000000012689000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ElectronCash_config_file
Source: Ycj3d5NMhc.exe, 00000000.00000002.1490044573.0000000012689000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Jaxx LibertyAaiaifbiceejhhkfbjdgonjgljkpcdhch
Source: Ycj3d5NMhc.exe, 00000000.00000002.1490044573.0000000012689000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ElectrumLTC_config_file
Source: Ycj3d5NMhc.exe, 00000000.00000002.1490044573.0000000012689000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Exodus_directory
Source: Ycj3d5NMhc.exe, 00000000.00000002.1490044573.0000000012689000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Ethereum_directory
Source: Ycj3d5NMhc.exe, 00000000.00000002.1490044573.0000000012689000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: keystore
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ycj3d5NMhc.exe.12689ac0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ycj3d5NMhc.exe.12689ac0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1523018849.000000000298A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1521055612.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1490044573.0000000012689000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Ycj3d5NMhc.exe PID: 2884, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 5992, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483417 Sample: Ycj3d5NMhc.exe Startdate: 27/07/2024 Architecture: WINDOWS Score: 96 26 ipinfo.io 2->26 28 investdirectinsurance.com 2->28 30 3 other IPs or domains 2->30 38 Multi AV Scanner detection for submitted file 2->38 40 .NET source code contains potential unpacker 2->40 42 .NET source code references suspicious native API functions 2->42 44 2 other signatures 2->44 9 Ycj3d5NMhc.exe 15 2->9         started        signatures3 process4 dnsIp5 32 investdirectinsurance.com 104.21.65.79, 443, 49707, 49708 CLOUDFLARENETUS United States 9->32 24 C:\Users\user\AppData\...\Ycj3d5NMhc.exe.log, CSV 9->24 dropped 46 Found many strings related to Crypto-Wallets (likely being stolen) 9->46 48 Writes to foreign memory regions 9->48 50 Allocates memory in foreign processes 9->50 52 Injects a PE file into a foreign processes 9->52 14 MSBuild.exe 15 6 9->14         started        file6 signatures7 process8 dnsIp9 34 ipinfo.io 34.117.59.81, 443, 49709 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 14->34 36 79.110.49.176, 2233, 49710 OTAVANET-ASCZ Germany 14->36 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->54 56 Tries to steal Mail credentials (via file / registry access) 14->56 58 Tries to harvest and steal browser information (history, passwords, etc) 14->58 60 Switches to a custom stack to bypass stack traces 14->60 18 WMIC.exe 1 14->18         started        20 conhost.exe 14->20         started        signatures10 process11 process12 22 conhost.exe 18->22         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
79.110.49.176
 unknown Germany
57287 OTAVANET-ASCZ false
34.117.59.81
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG true
104.21.65.79
 investdirectinsurance.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
ipinfo.io 34.117.59.81 true
investdirectinsurance.com 104.21.65.79 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://investdirectinsurance.com/assuence/litesolidCha/Zopi.bd false
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://ipinfo.io/json true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd false
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown