Windows Analysis Report
S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe

Overview

General Information

Sample name: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe
Analysis ID: 1651310
MD5: 09f7e5af8af839111c760e5fead1363f
SHA1: 0246df446a9a24c84285abb90374995fab8fd9f7
SHA256: 81e8ba37f175c8798101d49019f24188d0877185e68cbe8b2ad3ca1f0cb89eef
Tags: exeuser-aachum
Infos:

Detection

DarkTortilla, GO Backdoor
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected GO Backdoor
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to delay execution (extensive OutputDebugStringW loop)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
DarkTortilla DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\hbtmoxvlf Avira: detection malicious, Label: TR/Kryptik.fyrmj
Source: C:\Users\user\AppData\Local\Temp\teclexg Avira: detection malicious, Label: TR/Kryptik.fyrmj
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\hbtmoxvlf ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\teclexg ReversingLabs: Detection: 79%
Multi AV Scanner detection for submitted file
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Virustotal: Detection: 60% Perma Link
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe ReversingLabs: Detection: 58%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Neural Call Log Analysis: 99.9%
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C1A7CB CryptSignAndEncodeCertificate, 0_2_01C1A7CB
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C1A7DE CryptExportPublicKeyInfo, 0_2_01C1A7DE
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C1A7F1 CryptEncodeObject, 0_2_01C1A7F1
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C1A789 CryptAcquireCertificatePrivateKey, 0_2_01C1A789
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C1A75A CryptAcquireContextU, 0_2_01C1A75A
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C1A700 CryptDecryptMessage, 0_2_01C1A700
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C1A713 CryptDecryptAndVerifyMessageSignature, 0_2_01C1A713
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C1A726 CryptVerifyDetachedMessageSignature, 0_2_01C1A726
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C1A739 CryptVerifyMessageSignature, 0_2_01C1A739
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C1A6C7 CryptEncryptMessage, 0_2_01C1A6C7
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C1A6DA CryptSignMessage, 0_2_01C1A6DA
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C1A6ED CryptSignAndEncryptMessage, 0_2_01C1A6ED
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C1A84B CryptMsgClose, 0_2_01C1A84B
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C1A859 CryptFindOIDInfo, 0_2_01C1A859
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C1A804 CryptDecodeObject, 0_2_01C1A804
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C1A817 CryptMsgOpenToDecode, 0_2_01C1A817
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C1A82A CryptMsgUpdate, 0_2_01C1A82A
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C1A838 CryptMsgGetParam, 0_2_01C1A838
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C077CC CryptDecryptMessage, 0_2_01C077CC
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C077F0 CryptDecryptAndVerifyMessageSignature, 0_2_01C077F0
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C077A2 CryptSignAndEncryptMessage, 0_2_01C077A2
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C07754 CryptEncryptMessage, 0_2_01C07754
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C0777B CryptSignMessage, 0_2_01C0777B
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C079C7 CryptDecodeObject, 0_2_01C079C7
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C079EE CryptMsgOpenToDecode, 0_2_01C079EE
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C07985 CryptExportPublicKeyInfo, 0_2_01C07985
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C079A6 CryptEncodeObject, 0_2_01C079A6
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C07958 CryptSignAndEncodeCertificate, 0_2_01C07958
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C078D6 CryptAcquireCertificatePrivateKey, 0_2_01C078D6
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C07847 CryptVerifyMessageSignature, 0_2_01C07847
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C0787F CryptAcquireContextU, 0_2_01C0787F
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C0781D CryptVerifyDetachedMessageSignature, 0_2_01C0781D
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C07AB3 CryptImportPublicKeyInfo, 0_2_01C07AB3
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C07A50 CryptMsgClose, 0_2_01C07A50
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C07A61 CryptFindOIDInfo, 0_2_01C07A61
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C07A7A CryptVerifyCertificateSignature, 0_2_01C07A7A
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C07A12 CryptMsgUpdate, 0_2_01C07A12
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C07A2F CryptMsgGetParam, 0_2_01C07A2F
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0187A789 CryptAcquireCertificatePrivateKey, 7_2_0187A789
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_018677A2 CryptSignAndEncryptMessage, 7_2_018677A2
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_018677CC CryptDecryptMessage, 7_2_018677CC
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0187A7CB CryptSignAndEncodeCertificate, 7_2_0187A7CB
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0187A7DE CryptExportPublicKeyInfo, 7_2_0187A7DE
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_018677F0 CryptDecryptAndVerifyMessageSignature, 7_2_018677F0
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0187A7F1 CryptEncodeObject, 7_2_0187A7F1
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0187A700 CryptDecryptMessage, 7_2_0187A700
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0187A713 CryptDecryptAndVerifyMessageSignature, 7_2_0187A713
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0187A726 CryptVerifyDetachedMessageSignature, 7_2_0187A726
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0187A739 CryptVerifyMessageSignature, 7_2_0187A739
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01867754 CryptEncryptMessage, 7_2_01867754
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0187A75A CryptAcquireContextU, 7_2_0187A75A
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0186777B CryptSignMessage, 7_2_0186777B
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0187A6C7 CryptEncryptMessage, 7_2_0187A6C7
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0187A6DA CryptSignMessage, 7_2_0187A6DA
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0187A6ED CryptSignAndEncryptMessage, 7_2_0187A6ED
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01867985 CryptExportPublicKeyInfo, 7_2_01867985
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_018679A6 CryptEncodeObject, 7_2_018679A6
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_018679C7 CryptDecodeObject, 7_2_018679C7
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_018679EE CryptMsgOpenToDecode, 7_2_018679EE
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01867958 CryptSignAndEncodeCertificate, 7_2_01867958
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_018678D6 CryptAcquireCertificatePrivateKey, 7_2_018678D6
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0187A804 CryptDecodeObject, 7_2_0187A804
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0187A817 CryptMsgOpenToDecode, 7_2_0187A817
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0186781D CryptVerifyDetachedMessageSignature, 7_2_0186781D
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0187A82A CryptMsgUpdate, 7_2_0187A82A
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0187A838 CryptMsgGetParam, 7_2_0187A838
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01867847 CryptVerifyMessageSignature, 7_2_01867847
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0187A84B CryptMsgClose, 7_2_0187A84B
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0187A859 CryptFindOIDInfo, 7_2_0187A859
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0186787F CryptAcquireContextU, 7_2_0186787F
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01867AB3 CryptImportPublicKeyInfo, 7_2_01867AB3
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01867A12 CryptMsgUpdate, 7_2_01867A12
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01867A2F CryptMsgGetParam, 7_2_01867A2F
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01867A50 CryptMsgClose, 7_2_01867A50
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01867A61 CryptFindOIDInfo, 7_2_01867A61
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01867A7A CryptVerifyCertificateSignature, 7_2_01867A7A
Uses 32bit PE files
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1133776428.0000000005317000.00000004.00000020.00020000.00000000.sdmp, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1135970008.0000000005670000.00000004.00000800.00020000.00000000.sdmp, tcpvcon.exe, 00000004.00000002.1223321326.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, tcpvcon.exe, 00000004.00000002.1222447832.0000000002920000.00000004.00000020.00020000.00000000.sdmp, tcpvcon.exe, 0000000F.00000002.1558117489.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, tcpvcon.exe, 0000000F.00000002.1555542608.0000000002C83000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Input.pdbGCTL source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1111339943.0000000001961000.00000004.00000020.00020000.00000000.sdmp, FortectUpdater.exe, 00000007.00000002.1514654865.00000000016C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1133776428.0000000005317000.00000004.00000020.00020000.00000000.sdmp, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1135970008.0000000005670000.00000004.00000800.00020000.00000000.sdmp, tcpvcon.exe, 00000004.00000002.1223321326.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, tcpvcon.exe, 00000004.00000002.1222447832.0000000002920000.00000004.00000020.00020000.00000000.sdmp, tcpvcon.exe, 0000000F.00000002.1558117489.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, tcpvcon.exe, 0000000F.00000002.1555542608.0000000002C83000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Input.pdb source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1111339943.0000000001961000.00000004.00000020.00020000.00000000.sdmp, FortectUpdater.exe, 00000007.00000002.1514654865.00000000016C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: -uC:\Windows\exe\MSBuild.pdb- source: MSBuild.exe, 00000002.00000002.1477579693.0000000001E99000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Dev\branches\v20\Release\IPWorksIPC\cpp\Release32\ipworksipc20.full.pdb source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1111873069.0000000001BF0000.00000040.00001000.00020000.00000000.sdmp, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000005077000.00000004.00000020.00020000.00000000.sdmp, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000000.859010716.000000000120F000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\1\s\exe\Win32\Release\Tcpvcon.pdb source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006D1C000.00000004.00000020.00020000.00000000.sdmp, tcpvcon.exe, 00000004.00000002.1221910418.000000000075F000.00000002.00000001.01000000.0000000C.sdmp, tcpvcon.exe, 00000004.00000000.1105896356.000000000075F000.00000002.00000001.01000000.0000000C.sdmp, tcpvcon.exe, 0000000F.00000000.1502698478.000000000075F000.00000002.00000001.01000000.0000000C.sdmp, tcpvcon.exe, 0000000F.00000002.1554655637.000000000075F000.00000002.00000001.01000000.0000000C.sdmp
Creates COM task schedule object (often to register a task for autostart)
Source: C:\ProgramData\Fortect\tcpvcon.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 4_2_0075611F FindFirstFileExW, 4_2_0075611F
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 15_2_0075611F FindFirstFileExW, 15_2_0075611F

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 193.187.172.163 443 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 147.45.196.157 443 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 46.8.232.106 443 Jump to behavior
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 46.8.232.106 46.8.232.106
Source: Joe Sandbox View IP Address: 46.8.232.106 46.8.232.106
Source: Joe Sandbox View IP Address: 193.187.172.163 193.187.172.163
Source: Joe Sandbox View IP Address: 147.45.196.157 147.45.196.157
Source: Joe Sandbox View IP Address: 147.45.196.157 147.45.196.157
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics
Source: Joe Sandbox View ASN Name: ITOS-ASRU ITOS-ASRU
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: unknown TCP traffic detected without corresponding DNS query: 2.18.98.62
Source: unknown TCP traffic detected without corresponding DNS query: 23.199.215.203
Source: unknown TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown TCP traffic detected without corresponding DNS query: 23.199.215.203
Source: unknown TCP traffic detected without corresponding DNS query: 2.18.98.62
Source: unknown TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 23.203.176.221
Source: unknown TCP traffic detected without corresponding DNS query: 23.203.176.221
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.196.157
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.196.157
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.196.157
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.196.157
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.196.157
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.196.157
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.196.157
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.196.157
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.196.157
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.196.157
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.196.157
Source: unknown TCP traffic detected without corresponding DNS query: 193.187.172.163
Source: unknown TCP traffic detected without corresponding DNS query: 193.187.172.163
Source: global traffic HTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic DNS traffic detected: DNS query: c.pki.goog
Source: global traffic DNS traffic detected: DNS query: 3.238.64.98.in-addr.arpa
Source: unknown HTTP traffic detected: POST / HTTP/1.1Host: 46.8.232.106:443User-Agent: Go-http-client/1.1Content-Length: 186X-Api-Key: G2YfBzF38MKFHa5c67OyK4VZqwKZmOZGAccept-Encoding: gzip
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000005077000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000005077000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000005077000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000005077000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000005077000.00000004.00000020.00020000.00000000.sdmp, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000000.859010716.000000000120F000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000005077000.00000004.00000020.00020000.00000000.sdmp, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000000.859010716.000000000120F000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000005077000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000005077000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000005077000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000005077000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000005077000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000005077000.00000004.00000020.00020000.00000000.sdmp, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000000.859010716.000000000120F000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000005077000.00000004.00000020.00020000.00000000.sdmp, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000000.859010716.000000000120F000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000005077000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000005077000.00000004.00000020.00020000.00000000.sdmp, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000005077000.00000004.00000020.00020000.00000000.sdmp, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0L
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000005077000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000000.859010716.000000000120F000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://s2.symcb.com0
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: FortectUpdater.exe, 00000007.00000002.1520422573.00000000031FA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/Q
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sv.symcd.com0&
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1112613471.000000000350A000.00000004.00001000.00020000.00000000.sdmp, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000000.857770508.000000000066C000.00000020.00000001.01000000.00000003.sdmp, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000004547000.00000004.00000020.00020000.00000000.sdmp, FortectUpdater.exe, 00000007.00000000.1225501584.000000000079D000.00000020.00000001.01000000.00000010.sdmp, FortectUpdater.exe, 00000007.00000002.1520422573.000000000315A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/com.codegear.sanctuary.srs.v8.server.services.licenseverification.LicenseVerifica
Source: FortectUpdater.exe, 00000007.00000002.1520422573.00000000031DD000.00000004.00001000.00020000.00000000.sdmp, FortectUpdater.exe, 00000007.00000000.1225501584.0000000000600000.00000020.00000001.01000000.00000010.sdmp, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe String found in binary or memory: http://www.borland.com/namespaces/Types
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1112613471.000000000358D000.00000004.00001000.00020000.00000000.sdmp, FortectUpdater.exe, 00000007.00000002.1520422573.00000000031DD000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/TypesA
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1112613471.000000000358D000.00000004.00001000.00020000.00000000.sdmp, FortectUpdater.exe, 00000007.00000002.1520422573.00000000031DD000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/Typesa
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000005077000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006D1C000.00000004.00000020.00020000.00000000.sdmp, tcpvcon.exe, 00000004.00000002.1222624736.0000000003016000.00000004.00000800.00020000.00000000.sdmp, tcpvcon.exe, 0000000F.00000002.1557379607.0000000002FEB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.info-zip.org/
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1111873069.0000000001BF0000.00000040.00001000.00020000.00000000.sdmp, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000005077000.00000004.00000020.00020000.00000000.sdmp, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000000.859010716.000000000120F000.00000002.00000001.01000000.00000003.sdmp, FortectUpdater.exe, FortectUpdater.exe, 00000007.00000002.1516656039.00000000018F5000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.nsoftware.com/about
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1111873069.0000000001BF0000.00000040.00001000.00020000.00000000.sdmp, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000005077000.00000004.00000020.00020000.00000000.sdmp, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000000.859010716.000000000120F000.00000002.00000001.01000000.00000003.sdmp, FortectUpdater.exe, 00000007.00000002.1516656039.00000000018F5000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.nsoftware.com/aboutIPWorks
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/cps0(
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/rpa00
Source: FortectUpdater.exe, 00000007.00000002.1520422573.000000000318D000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.themindelectric.com/package/com.codegear.sanctuary.srs.v8.server.services.data/
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1112613471.000000000353D000.00000004.00001000.00020000.00000000.sdmp, FortectUpdater.exe, 00000007.00000002.1520422573.000000000318D000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.themindelectric.com/package/com.codegear.sanctuary.srs.v8.server.services.data/Q
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1112613471.0000000003511000.00000004.00001000.00020000.00000000.sdmp, FortectUpdater.exe, 00000007.00000002.1520422573.0000000003161000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.themindelectric.com/package/com.codegear.sanctuary.srs.v8.server.services.licenseverifi
Source: FortectUpdater.exe, 00000007.00000002.1520422573.0000000003161000.00000004.00001000.00020000.00000000.sdmp, FortectUpdater.exe, 00000007.00000000.1225501584.000000000079D000.00000020.00000001.01000000.00000010.sdmp String found in binary or memory: http://www.themindelectric.com/package/com.codegear.sanctuary.srs.v8.server.services.licenseverifica
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1112613471.0000000003544000.00000004.00001000.00020000.00000000.sdmp, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000000.857770508.000000000066C000.00000020.00000001.01000000.00000003.sdmp, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000004547000.00000004.00000020.00020000.00000000.sdmp, FortectUpdater.exe, 00000007.00000002.1520422573.0000000003194000.00000004.00001000.00020000.00000000.sdmp, FortectUpdater.exe, 00000007.00000000.1225501584.000000000079D000.00000020.00000001.01000000.00000010.sdmp String found in binary or memory: http://www.themindelectric.com/package/java.lang/
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0/
Source: svchost.exe, 00000011.00000002.2137078483.00000000039BA000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2137078483.00000000039BC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://147.45.196.157:443
Source: svchost.exe, 00000003.00000002.2131860868.0000000003CC6000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2131860868.0000000003CCA000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2131860868.0000000003CC8000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2141405621.0000000003D9C000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2137078483.00000000039B8000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2137078483.00000000039BA000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2137078483.00000000039BC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://193.187.172.163:443
Source: svchost.exe, 00000003.00000002.2131860868.0000000003CC8000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2137078483.00000000039BA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://193.187.172.163:443Helper
Source: svchost.exe, 00000003.00000002.2131860868.0000000003CC8000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2137078483.00000000039BA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://193.187.172.163:443d
Source: svchost.exe, 00000003.00000002.2131860868.0000000003CC6000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2131860868.0000000003CC8000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2137078483.00000000039B8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://193.187.172.163:443https://46.8.232.106:443
Source: svchost.exe, 00000011.00000002.2137078483.0000000003990000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://46.8.232.106:443
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1138565903.0000000006714000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1440189059.0000000001B36000.00000002.00000001.01000000.00000000.sdmp String found in binary or memory: https://api.quotable.io/randomaFailed
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1138565903.0000000006714000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1440189059.0000000001B36000.00000002.00000001.01000000.00000000.sdmp String found in binary or memory: https://api.sentiment-analysis.com/analyze
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1138565903.0000000006714000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1440189059.0000000001B36000.00000002.00000001.01000000.00000000.sdmp String found in binary or memory: https://api.smart-speed-bumps.com/data
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000005077000.00000004.00000020.00020000.00000000.sdmp, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000000.859010716.000000000120F000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://sectigo.com/CPS0B
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000005077000.00000004.00000020.00020000.00000000.sdmp, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000000.859010716.000000000120F000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://sectigo.com/CPS0C
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006D1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.sysinternals.com0
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Contains functionality to call native functions
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_0086DF2B NtQuerySystemInformation, 0_2_0086DF2B
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 4_2_007428F0 NtQuerySystemInformation,NtQuerySystemInformation,GetModuleFileNameA,CreateFileA,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcessId,CloseHandle,RtlUnicodeStringToAnsiString,_strncpy,RtlFreeAnsiString, 4_2_007428F0
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 4_2_00742530 NtQueryInformationProcess,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,NtQueryInformationProcess, 4_2_00742530
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 15_2_007428F0 NtQuerySystemInformation,NtQuerySystemInformation,GetModuleFileNameA,CreateFileA,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcessId,CloseHandle,RtlUnicodeStringToAnsiString,_strncpy,RtlFreeAnsiString, 15_2_007428F0
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 15_2_00742530 NtQueryInformationProcess,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,NtQueryInformationProcess, 15_2_00742530
Contains functionality to communicate with device drivers
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 4_2_0075016D: DeviceIoControl,CloseHandle, 4_2_0075016D
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C38B22 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LogonUserA,GetLastError,GetProcessWindowStation,SetProcessWindowStation,GetLastError,OpenWindowStationA,GetLastError,SetProcessWindowStation,GetLastError,OpenDesktopA,GetLastError,SetProcessWindowStation,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,ImpersonateLoggedOnUser,GetLastError,CreateProcessAsUserA,GetLastError,SetProcessWindowStation,CloseWindowStation,CloseDesktop,CloseHandle, 0_2_01C38B22
Detected potential crypto function
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C060FF 0_2_01C060FF
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C02049 0_2_01C02049
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C0433D 0_2_01C0433D
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C06273 0_2_01C06273
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C20202 0_2_01C20202
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01BF227D 0_2_01BF227D
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C2422F 0_2_01C2422F
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C24525 0_2_01C24525
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01BFE499 0_2_01BFE499
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C06479 0_2_01C06479
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C0674B 0_2_01C0674B
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C0A750 0_2_01C0A750
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C24984 0_2_01C24984
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C06968 0_2_01C06968
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C1A97F 0_2_01C1A97F
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C0A8DF 0_2_01C0A8DF
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C04AD5 0_2_01C04AD5
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01BF6A18 0_2_01BF6A18
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C12A12 0_2_01C12A12
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C10DF6 0_2_01C10DF6
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01BF2DCB 0_2_01BF2DCB
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C00D58 0_2_01C00D58
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C14D17 0_2_01C14D17
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C04EC8 0_2_01C04EC8
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01BFCE6A 0_2_01BFCE6A
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C131F9 0_2_01C131F9
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C09177 0_2_01C09177
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C09100 0_2_01C09100
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C050AA 0_2_01C050AA
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C09072 0_2_01C09072
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C01265 0_2_01C01265
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C09277 0_2_01C09277
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C135E5 0_2_01C135E5
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C23552 0_2_01C23552
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C0144E 0_2_01C0144E
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C2376D 0_2_01C2376D
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C236C2 0_2_01C236C2
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01BF3680 0_2_01BF3680
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C2360C 0_2_01C2360C
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C0198F 0_2_01C0198F
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C15814 0_2_01C15814
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C23818 0_2_01C23818
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C13830 0_2_01C13830
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C05B91 0_2_01C05B91
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C23BBF 0_2_01C23BBF
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C05AA6 0_2_01C05AA6
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C23D86 0_2_01C23D86
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C1FD8F 0_2_01C1FD8F
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C05CCB 0_2_01C05CCB
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C05F85 0_2_01C05F85
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C6DF8A 0_2_01C6DF8A
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C23F47 0_2_01C23F47
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C0DF25 0_2_01C0DF25
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C05E00 0_2_01C05E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_021B0950 2_2_021B0950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_021B6D60 2_2_021B6D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_021B2DE8 2_2_021B2DE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_021B33D0 2_2_021B33D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_021B0941 2_2_021B0941
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_021B6D52 2_2_021B6D52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_0B001240 2_2_0B001240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_0B002FD8 2_2_0B002FD8
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 4_2_00743CA0 4_2_00743CA0
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 4_2_0074D05A 4_2_0074D05A
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 4_2_00758B3B 4_2_00758B3B
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 4_2_0074D3B9 4_2_0074D3B9
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 4_2_0075D531 4_2_0075D531
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 4_2_0074CD18 4_2_0074CD18
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 4_2_00758690 4_2_00758690
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 4_2_0074D717 4_2_0074D717
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01869100 7_2_01869100
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01869177 7_2_01869177
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_018650AA 7_2_018650AA
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_018660FF 7_2_018660FF
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0185E000 7_2_0185E000
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01862049 7_2_01862049
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01869072 7_2_01869072
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0186433D 7_2_0186433D
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01880202 7_2_01880202
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0188422F 7_2_0188422F
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01861265 7_2_01861265
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01869277 7_2_01869277
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01866273 7_2_01866273
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0185227D 7_2_0185227D
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01884525 7_2_01884525
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0185E499 7_2_0185E499
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0186144E 7_2_0186144E
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01866479 7_2_01866479
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0186674B 7_2_0186674B
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01853680 7_2_01853680
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0186198F 7_2_0186198F
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01884984 7_2_01884984
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01866968 7_2_01866968
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0187A97F 7_2_0187A97F
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01865B91 7_2_01865B91
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01865AA6 7_2_01865AA6
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01864AD5 7_2_01864AD5
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01872A12 7_2_01872A12
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0187FD8F 7_2_0187FD8F
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01852DCB 7_2_01852DCB
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01860D58 7_2_01860D58
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01865CCB 7_2_01865CCB
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01865F85 7_2_01865F85
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_018CDF8A 7_2_018CDF8A
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01864EC8 7_2_01864EC8
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01865E00 7_2_01865E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_01950950 14_2_01950950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_01952DE8 14_2_01952DE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_01956D60 14_2_01956D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_019533D0 14_2_019533D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_01950941 14_2_01950941
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_01956D53 14_2_01956D53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_083010A8 14_2_083010A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_083078F0 14_2_083078F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_08300208 14_2_08300208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0830CA48 14_2_0830CA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_08309B60 14_2_08309B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0830EB58 14_2_0830EB58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0830F380 14_2_0830F380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_08301BC0 14_2_08301BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_083045C0 14_2_083045C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0830F688 14_2_0830F688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0830D7F0 14_2_0830D7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_08300012 14_2_08300012
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0830B850 14_2_0830B850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_083038B2 14_2_083038B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_08301081 14_2_08301081
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_083088F8 14_2_083088F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_083078DF 14_2_083078DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_083038C0 14_2_083038C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_083050CC 14_2_083050CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_08308908 14_2_08308908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_08305170 14_2_08305170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0830D1B0 14_2_0830D1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_083041A0 14_2_083041A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_08304192 14_2_08304192
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_083001F9 14_2_083001F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_08309B51 14_2_08309B51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_08303BB0 14_2_08303BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_08303BC0 14_2_08303BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_08304418 14_2_08304418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0830440A 14_2_0830440A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_08304572 14_2_08304572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_08302DE0 14_2_08302DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_08302DD0 14_2_08302DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_08303F68 14_2_08303F68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_08303F5A 14_2_08303F5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_08340006 14_2_08340006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_08340040 14_2_08340040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_08343200 14_2_08343200
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 15_2_00743CA0 15_2_00743CA0
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 15_2_0074D05A 15_2_0074D05A
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 15_2_00758B3B 15_2_00758B3B
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 15_2_0074D3B9 15_2_0074D3B9
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 15_2_0075D531 15_2_0075D531
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 15_2_0074CD18 15_2_0074CD18
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 15_2_00758690 15_2_00758690
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 15_2_0074D717 15_2_0074D717
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\Fortect\tcpvcon.exe 198995FECC0E38A2749B7E48C54112A959B77878683B726EE36430C4BACEC196
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\hbtmoxvlf 805452F185DE04D782EE4406FD8AB01C48AC3FA497ACB391370E7F7A98896EDC
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\teclexg 805452F185DE04D782EE4406FD8AB01C48AC3FA497ACB391370E7F7A98896EDC
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: String function: 01C1C471 appears 68 times
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: String function: 01C350CA appears 231 times
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: String function: 01C39251 appears 64 times
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: String function: 01C1C734 appears 61 times
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: String function: 01C1C0E1 appears 102 times
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: String function: 01C2731B appears 36 times
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: String function: 01C1C77B appears 74 times
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: String function: 01C7846C appears 58 times
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: String function: 01C27AAA appears 31 times
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: String function: 0187C77B appears 74 times
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: String function: 01899251 appears 64 times
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: String function: 0187C734 appears 41 times
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: String function: 0187C0E1 appears 102 times
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: String function: 018D846C appears 50 times
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: String function: 0188731B appears 32 times
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: String function: 0187C471 appears 43 times
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: String function: 007415F0 appears 42 times
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: String function: 007461D0 appears 84 times
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: String function: 00753CD4 appears 38 times
PE / OLE file has an invalid certificate
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
PE file contains more sections than normal
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Static PE information: Number of sections : 11 > 10
Sample file is different than original file name gathered from version info
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1111873069.0000000001CA1000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameipworksipc20.dllj% vs S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000005077000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameipworksipc20.dllj% vs S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000005077000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBitRaserFileEraser.exeJ vs S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1138565903.0000000006714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamenixsudocrypt1.exeT vs S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000000.859010716.000000000120F000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameipworksipc20.dllj% vs S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000000.859010716.000000000120F000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameBitRaserFileEraser.exeJ vs S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1133776428.000000000543A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006D1C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTcpvcon.exe0 vs S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamezip.exe( vs S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000000.857770508.000000000066C000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename vs S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1135970008.000000000579D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000004547000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Binary or memory string: OriginalFilename vs S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe
Uses 32bit PE files
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: teclexg.0.dr, g3Z1N.cs Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: teclexg.0.dr, i4C7Jy.cs Cryptographic APIs: 'CreateDecryptor'
Source: hbtmoxvlf.7.dr, g3Z1N.cs Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: hbtmoxvlf.7.dr, i4C7Jy.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.evad.winEXE@16/10@3/3
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C1A626 CertOpenSystemStoreA, 0_2_01C1A626
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C07642 CertOpenSystemStoreA, 0_2_01C07642
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_0187A626 CertOpenSystemStoreA, 7_2_0187A626
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Code function: 7_2_01867642 CertOpenSystemStoreA, 7_2_01867642
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 4_2_00744E70 WSAStartup,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress, 4_2_00744E70
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 15_2_00744E70 WSAStartup,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress, 15_2_00744E70
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 4_2_00743CA0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,GetExtendedTcpTable,GetExtendedTcpTable,GetTickCount,GetExtendedUdpTable,GetExtendedUdpTable,GetTickCount,GetExtendedTcpTable,GetExtendedTcpTable,GetTickCount,GetExtendedUdpTable,GetExtendedUdpTable,GetTickCount,CloseHandle,GetProcessHeap,GetProcessHeap,GetProcessHeap,GetProcessHeap,GetProcessHeap,CreateToolhelp32Snapshot,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetTcpTable,GetTcpTable,GetTcpTable,GetUdpTable,GetUdpTable,GetUdpTable,GetTickCount,GetTickCount, 4_2_00743CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1388:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1384:120:WilError_03
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe File created: C:\Users\user~1\AppData\Local\Temp\5616e7ef Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Virustotal: Detection: 60%
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe ReversingLabs: Detection: 58%
Source: svchost.exe String found in binary or memory: eQ2J2QDNMIpv/addrselect.go
Source: svchost.exe String found in binary or memory: y6uG7VX/addr.go
Source: svchost.exe String found in binary or memory: G8CTIpvnvKY1/addr.go
Source: svchost.exe String found in binary or memory: gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in
Source: svchost.exe String found in binary or memory: gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in
Source: svchost.exe String found in binary or memory: eep-alive interval must be positivelfstack node allocated from the heapruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: svchost.exe String found in binary or memory: eep-alive interval must be positivelfstack node allocated from the heapruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe String found in binary or memory: ;application/vnd.adobe.air-application-installer-package+zip
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe String found in binary or memory: application/vnd.groove-help
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe String found in binary or memory: "application/x-install-instructions
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe File read: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe "C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe"
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\system32\svchost.exe"
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Process created: C:\ProgramData\Fortect\tcpvcon.exe "C:\ProgramData\Fortect\tcpvcon.exe" "C:\ProgramData\Fortect\tcpvcon.exe" /accepteula
Source: C:\ProgramData\Fortect\tcpvcon.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Process created: C:\ProgramData\Fortect\tcpvcon.exe "C:\ProgramData\Fortect\tcpvcon.exe" "C:\ProgramData\Fortect\tcpvcon.exe" /accepteula
Source: C:\ProgramData\Fortect\tcpvcon.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\system32\svchost.exe"
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Process created: C:\ProgramData\Fortect\tcpvcon.exe "C:\ProgramData\Fortect\tcpvcon.exe" "C:\ProgramData\Fortect\tcpvcon.exe" /accepteula Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\system32\svchost.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Process created: C:\ProgramData\Fortect\tcpvcon.exe "C:\ProgramData\Fortect\tcpvcon.exe" "C:\ProgramData\Fortect\tcpvcon.exe" /accepteula Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\system32\svchost.exe" Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Section loaded: qwave.dll Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Section loaded: traffic.dll Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Section loaded: wmiclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Section loaded: input.dll Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Section loaded: qwave.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Section loaded: traffic.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Section loaded: wmiclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Section loaded: input.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Static file information: File size 12721608 > 1048576
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3fc000
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x796a00
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1133776428.0000000005317000.00000004.00000020.00020000.00000000.sdmp, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1135970008.0000000005670000.00000004.00000800.00020000.00000000.sdmp, tcpvcon.exe, 00000004.00000002.1223321326.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, tcpvcon.exe, 00000004.00000002.1222447832.0000000002920000.00000004.00000020.00020000.00000000.sdmp, tcpvcon.exe, 0000000F.00000002.1558117489.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, tcpvcon.exe, 0000000F.00000002.1555542608.0000000002C83000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Input.pdbGCTL source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1111339943.0000000001961000.00000004.00000020.00020000.00000000.sdmp, FortectUpdater.exe, 00000007.00000002.1514654865.00000000016C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1133776428.0000000005317000.00000004.00000020.00020000.00000000.sdmp, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1135970008.0000000005670000.00000004.00000800.00020000.00000000.sdmp, tcpvcon.exe, 00000004.00000002.1223321326.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, tcpvcon.exe, 00000004.00000002.1222447832.0000000002920000.00000004.00000020.00020000.00000000.sdmp, tcpvcon.exe, 0000000F.00000002.1558117489.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, tcpvcon.exe, 0000000F.00000002.1555542608.0000000002C83000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Input.pdb source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1111339943.0000000001961000.00000004.00000020.00020000.00000000.sdmp, FortectUpdater.exe, 00000007.00000002.1514654865.00000000016C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: -uC:\Windows\exe\MSBuild.pdb- source: MSBuild.exe, 00000002.00000002.1477579693.0000000001E99000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Dev\branches\v20\Release\IPWorksIPC\cpp\Release32\ipworksipc20.full.pdb source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1111873069.0000000001BF0000.00000040.00001000.00020000.00000000.sdmp, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1113967083.0000000005077000.00000004.00000020.00020000.00000000.sdmp, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000000.859010716.000000000120F000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\1\s\exe\Win32\Release\Tcpvcon.pdb source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006D1C000.00000004.00000020.00020000.00000000.sdmp, tcpvcon.exe, 00000004.00000002.1221910418.000000000075F000.00000002.00000001.01000000.0000000C.sdmp, tcpvcon.exe, 00000004.00000000.1105896356.000000000075F000.00000002.00000001.01000000.0000000C.sdmp, tcpvcon.exe, 0000000F.00000000.1502698478.000000000075F000.00000002.00000001.01000000.0000000C.sdmp, tcpvcon.exe, 0000000F.00000002.1554655637.000000000075F000.00000002.00000001.01000000.0000000C.sdmp

Data Obfuscation
barindex
Yara detected DarkTortilla Crypter
Source: Yara match File source: 2.2.MSBuild.exe.6680000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MSBuild.exe.4be0470.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MSBuild.exe.4be0470.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MSBuild.exe.6680000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MSBuild.exe.4bc0450.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MSBuild.exe.4c20490.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MSBuild.exe.4bc0450.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MSBuild.exe.4c20490.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1527199567.0000000004C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1581895096.0000000006680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1868541609.0000000003361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1483272606.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1527199567.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 6292, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 2012, type: MEMORYSTR
.NET source code contains method to dynamically call methods (often used by packers)
Source: teclexg.0.dr, i4C7Jy.cs .Net Code: NewLateBinding.LateCall(_0024VB_0024Local_itemmm, (Type)null, "Invoke", new object[2]{null,new object[0]}, (string[])null, (Type[])null, (bool[])null, true)
Source: hbtmoxvlf.7.dr, i4C7Jy.cs .Net Code: NewLateBinding.LateCall(_0024VB_0024Local_itemmm, (Type)null, "Invoke", new object[2]{null,new object[0]}, (string[])null, (Type[])null, (bool[])null, true)
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C1A867 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_01C1A867
PE file contains sections with non-standard names
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Static PE information: section name: .didata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C82439 push ebp; retf 0_2_01C8244D
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C7AAED push 0000006Ah; retf 0_2_01C7AB5C
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C7AAEB push 0000006Ah; retf 0_2_01C7AB5C
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C7AA83 push 0000006Ah; retf 0_2_01C7AB5C
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C83826 push 00000000h; ret 0_2_01C83828
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_0087243A pushad ; retf 0_2_0087244A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_0B002484 push es; ret 2_2_0B002486
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 4_2_0075DC81 push ecx; ret 4_2_0075DC94
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 15_2_0075DC81 push ecx; ret 15_2_0075DC94
Source: teclexg.0.dr, m2SGp.cs High entropy of concatenated method names: 'w3D2F', 'Xx62H', 'MoveNext', 'o8X1P', 'SetStateMachine', 'f7S9Z', 'MoveNext', 'Hm4z8', 'SetStateMachine', 'Zg5s4'
Source: teclexg.0.dr, g3Z1N.cs High entropy of concatenated method names: 'c0P1K', 'g5B0Q', 'j0C6Y', 'z0C7Q', 'Pc49E', 'Zq18R', 'Sj38W', 'Xq26R', 'o0SHi', 'Je07G'
Source: teclexg.0.dr, i4C7Jy.cs High entropy of concatenated method names: 'Wj7n1K', 'MoveNext', 'Ta2w3E', 'SetStateMachine', 'k3DLn2', 'MoveNext', 'Sn5j9P', 'SetStateMachine', 'Ez7i2X', 't1W4Zn'
Source: teclexg.0.dr, p2Q6J.cs High entropy of concatenated method names: 'Kq4o3W', 'd3C4Kb', 'x4TGb6', 's4F8Br', 'Kg4a3W', 'Kf5w6L', 'At5k0T', 'Yk79Wa', 'j2E9Yb', 's1ERj2'
Source: teclexg.0.dr, s3KGn6.cs High entropy of concatenated method names: 'p2TEf7', 'Ho94Lq', 'Tb80Cj', 'a5D7Jq', 'Jt8w7G', 'a3GZb8', 'f0SNo8', 'Ct94Rp', 'Te97Zi', 'St07Ti'
Source: teclexg.0.dr, b6NZe7.cs High entropy of concatenated method names: 'm6LRc1', 'MoveNext', 't8PDa4', 'SetStateMachine', 'Qw21Hq', 'Kb05Xp', 'p0G3Cn', 'Ns1o9K', 'g9QLm8', 'Pa81Yg'
Source: hbtmoxvlf.7.dr, m2SGp.cs High entropy of concatenated method names: 'w3D2F', 'Xx62H', 'MoveNext', 'o8X1P', 'SetStateMachine', 'f7S9Z', 'MoveNext', 'Hm4z8', 'SetStateMachine', 'Zg5s4'
Source: hbtmoxvlf.7.dr, g3Z1N.cs High entropy of concatenated method names: 'c0P1K', 'g5B0Q', 'j0C6Y', 'z0C7Q', 'Pc49E', 'Zq18R', 'Sj38W', 'Xq26R', 'o0SHi', 'Je07G'
Source: hbtmoxvlf.7.dr, i4C7Jy.cs High entropy of concatenated method names: 'Wj7n1K', 'MoveNext', 'Ta2w3E', 'SetStateMachine', 'k3DLn2', 'MoveNext', 'Sn5j9P', 'SetStateMachine', 'Ez7i2X', 't1W4Zn'
Source: hbtmoxvlf.7.dr, p2Q6J.cs High entropy of concatenated method names: 'Kq4o3W', 'd3C4Kb', 'x4TGb6', 's4F8Br', 'Kg4a3W', 'Kf5w6L', 'At5k0T', 'Yk79Wa', 'j2E9Yb', 's1ERj2'
Source: hbtmoxvlf.7.dr, s3KGn6.cs High entropy of concatenated method names: 'p2TEf7', 'Ho94Lq', 'Tb80Cj', 'a5D7Jq', 'Jt8w7G', 'a3GZb8', 'f0SNo8', 'Ct94Rp', 'Te97Zi', 'St07Ti'
Source: hbtmoxvlf.7.dr, b6NZe7.cs High entropy of concatenated method names: 'm6LRc1', 'MoveNext', 't8PDa4', 'SetStateMachine', 'Qw21Hq', 'Kb05Xp', 'p0G3Cn', 'Ns1o9K', 'g9QLm8', 'Pa81Yg'
Drops PE files
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe File created: C:\Users\user\AppData\Local\Temp\hbtmoxvlf Jump to dropped file
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe File created: C:\Users\user\AppData\Local\Temp\teclexg Jump to dropped file
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe File created: C:\ProgramData\Fortect\tcpvcon.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe File created: C:\ProgramData\Fortect\tcpvcon.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe File created: C:\Users\user\AppData\Local\Temp\teclexg Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe File created: C:\Users\user\AppData\Local\Temp\hbtmoxvlf Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Found hidden mapped module (file has been removed from disk)
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\TECLEXG
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\HBTMOXVLF
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe\:Zone.Identifier read attributes | delete Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C07270 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_01C07270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 6292, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 2012, type: MEMORYSTR
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe API/Special instruction interceptor: Address: 6D6990B4
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe API/Special instruction interceptor: Address: 6D698DB8
Source: C:\ProgramData\Fortect\tcpvcon.exe API/Special instruction interceptor: Address: 6D694B84
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe API/Special instruction interceptor: Address: 6D6990B4
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe API/Special instruction interceptor: Address: 6D698DB8
Tries to delay execution (extensive OutputDebugStringW loop)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: OutputDebugStringW count: 145
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2110000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 3A90000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2110000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 8DC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 9DC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: B920000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: C920000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: DC70000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: EC70000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: FC70000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 10C70000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 11370000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 12370000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 13370000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 14370000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 1680000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 3350000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 18B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 90E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 8160000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: B0E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: C0E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: D490000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: E590000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: F590000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: B0E0000 memory reserve | memory write watch Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 4_2_007428F0 NtQuerySystemInformation,NtQuerySystemInformation,GetModuleFileNameA,CreateFileA,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcessId,CloseHandle,RtlUnicodeStringToAnsiString,_strncpy,RtlFreeAnsiString, 4_2_007428F0
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hbtmoxvlf Jump to dropped file
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\teclexg Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe API coverage: 4.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2852 Thread sleep time: -73000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5860 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4480 Thread sleep time: -50000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2752 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7152 Thread sleep time: -55000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1236 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6064 Thread sleep time: -64000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7060 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 4_2_0075611F FindFirstFileExW, 4_2_0075611F
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 15_2_0075611F FindFirstFileExW, 15_2_0075611F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: svchost.exe, 00000003.00000002.2130145605.0000000003400000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg*
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: noreply@vmware.com0
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0
Source: MSBuild.exe, 00000002.00000002.1527199567.0000000004C20000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1581895096.0000000006680000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1527199567.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VBoxTray
Source: MSBuild.exe, 00000002.00000002.1527199567.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1!0
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1111339943.00000000018FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0/
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1164205159.0000000006E5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware, Inc.0
Source: tcpvcon.exe, 00000004.00000002.1222195752.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: FortectUpdater.exe, 00000007.00000002.1514654865.000000000165E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2129778855.0000000003200000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: tcpvcon.exe, 0000000F.00000002.1555211032.0000000000BA8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltt
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 2_2_021BA1C4 CheckRemoteDebuggerPresent, 2_2_021BA1C4
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 4_2_00750B9D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00750B9D
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 4_2_007428F0 NtQuerySystemInformation,NtQuerySystemInformation,GetModuleFileNameA,CreateFileA,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcessId,CloseHandle,RtlUnicodeStringToAnsiString,_strncpy,RtlFreeAnsiString, 4_2_007428F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C1A867 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_01C1A867
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_0086E5FB mov eax, dword ptr fs:[00000030h] 0_2_0086E5FB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C78303 GetProcessHeap,HeapAlloc, 0_2_01C78303
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Process token adjusted: Debug Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 4_2_00750B9D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00750B9D
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 4_2_00745DBD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00745DBD
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 4_2_00745F22 SetUnhandledExceptionFilter, 4_2_00745F22
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 4_2_00745793 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00745793
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 15_2_00750B9D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_00750B9D
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 15_2_00745DBD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_00745DBD
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 15_2_00745F22 SetUnhandledExceptionFilter, 15_2_00745F22
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 15_2_00745793 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 15_2_00745793
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 193.187.172.163 443 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 147.45.196.157 443 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 46.8.232.106 443 Jump to behavior
Allocates memory in foreign processes
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 400000 protect: page execute and read and write Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\ProgramData\Fortect\tcpvcon.exe NtCreateFile: Direct from: 0x6D6967FC Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtProtectVirtualMemory: Direct from: 0x6D6A1363 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtSetInformationThread: Direct from: 0x6D69814D Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtProtectVirtualMemory: Direct from: 0x6D6A0C83 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtProtectVirtualMemory: Direct from: 0x6D6A115C Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtAllocateVirtualMemory: Direct from: 0x6D69F9DA Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtProtectVirtualMemory: Direct from: 0x6D6A10F3 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtProtectVirtualMemory: Direct from: 0x6D6A0F1C Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtAllocateVirtualMemory: Direct from: 0x6D6964E4 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtQueryInformationToken: Direct from: 0x6D697EA4 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtCreateFile: Direct from: 0x6D694ED3 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtAllocateVirtualMemory: Direct from: 0x6D696547 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtAllocateVirtualMemory: Direct from: 0x6D696568 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtProtectVirtualMemory: Direct from: 0x6D69F907 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtAllocateVirtualMemory: Direct from: 0x6D696505 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtAllocateVirtualMemory: Direct from: 0x6D696526 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtAllocateVirtualMemory: Direct from: 0x6D696108 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtAllocateVirtualMemory: Direct from: 0x6D69EE74 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtQuerySystemInformation: Direct from: 0x6D6953FB Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtProtectVirtualMemory: Direct from: 0x6D69F8D3 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtProtectVirtualMemory: Direct from: 0x6D6A1DC2 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtAllocateVirtualMemory: Direct from: 0x6D698B0D Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtAllocateVirtualMemory: Direct from: 0x6D69E9C3 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtQueryInformationToken: Direct from: 0x6D698113 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtProtectVirtualMemory: Direct from: 0x6D6A0EB3 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtProtectVirtualMemory: Direct from: 0x6D6A1457 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtProtectVirtualMemory: Direct from: 0x6D6A0202 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtQuerySystemInformation: Direct from: 0x6D698B49 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe NtQuerySystemInformation: Direct from: 0x776C7B2E Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtAllocateVirtualMemory: Direct from: 0x6D6A0189 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtProtectVirtualMemory: Direct from: 0x6D6A13CC Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtAllocateVirtualMemory: Direct from: 0x776C63E1 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtProtectVirtualMemory: Direct from: 0x6D6A11E3 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtAddAtomEx: Direct from: 0x6D69F778 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtProtectVirtualMemory: Direct from: 0x6D6A1EFE Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtAllocateVirtualMemory: Direct from: 0x6D695C22 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtDelayExecution: Direct from: 0x6D6920B1 Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe NtSetInformationThread: Direct from: 0x86F29C Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtProtectVirtualMemory: Direct from: 0x6D6A0F73 Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtProtectVirtualMemory: Direct from: 0x6D6A0CEC Jump to behavior
Source: C:\ProgramData\Fortect\tcpvcon.exe NtQuerySystemInformation: Direct from: 0x6D697FD9 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Section loaded: NULL target: C:\ProgramData\Fortect\tcpvcon.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Section loaded: NULL target: C:\ProgramData\Fortect\tcpvcon.exe protection: read write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 400000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 401000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 691000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 8B7000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 912000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 913000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 932000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 311D008 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 400000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 401000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 691000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 8B7000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 912000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 913000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 932000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 2DE5008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C38B22 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LogonUserA,GetLastError,GetProcessWindowStation,SetProcessWindowStation,GetLastError,OpenWindowStationA,GetLastError,SetProcessWindowStation,GetLastError,OpenDesktopA,GetLastError,SetProcessWindowStation,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,ImpersonateLoggedOnUser,GetLastError,CreateProcessAsUserA,GetLastError,SetProcessWindowStation,CloseWindowStation,CloseDesktop,CloseHandle, 0_2_01C38B22
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Process created: C:\ProgramData\Fortect\tcpvcon.exe "C:\ProgramData\Fortect\tcpvcon.exe" "C:\ProgramData\Fortect\tcpvcon.exe" /accepteula Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\system32\svchost.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Process created: C:\ProgramData\Fortect\tcpvcon.exe "C:\ProgramData\Fortect\tcpvcon.exe" "C:\ProgramData\Fortect\tcpvcon.exe" /accepteula Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\system32\svchost.exe" Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C1B8C3 SetProcessWindowStation,GetUserObjectSecurity,HeapAlloc,GetProcessHeap,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetUserObjectSecurity,InitializeSecurityDescriptor,GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetProcessHeap,HeapAlloc,InitializeAcl,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,GetLengthSid,CopySid,AddAce,AddAce,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_01C1B8C3
Source: S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1111339943.0000000001998000.00000004.00000020.00020000.00000000.sdmp, S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe, 00000000.00000002.1111339943.0000000001961000.00000004.00000020.00020000.00000000.sdmp, FortectUpdater.exe, 00000007.00000002.1514654865.00000000016C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %s\%08xWinStationGetConnectionPropertywinsta.dllWinStationQueryInformationWWinStationFreePropertyValue\System32SYSTEM\CurrentControlSet\Control\Keyboard Layouts\%08xIME fileSOFTWARE\Classes\CLSID\%s\InprocServer32ThreadingModelApartmentSOFTWARE\Classes\CLSID\%s\LocalServer32Shell_TrayWndAttributesKeyboard Layout
Contains functionality to query CPU information (cpuid)
Source: C:\ProgramData\Fortect\tcpvcon.exe Code function: 4_2_00745FDE cpuid 4_2_00745FDE
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Queries volume information: C:\Users\user\AppData\Local\Temp\5616e7ef VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\Users\user\AppData\Local\config VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fortect\FortectUpdater.exe Queries volume information: C:\Users\user\AppData\Local\Temp\6cf4650d VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\Users\user\AppData\Local\config VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C74648 CreateNamedPipeA,CreateFileA,GetLastError,CloseHandle,GetLastError, 0_2_01C74648
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C703AC GetSystemTime, 0_2_01C703AC
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01BF2065 GetTimeZoneInformation, 0_2_01BF2065
Source: C:\Users\user\Desktop\S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe Code function: 0_2_01C70A52 GetVersionExA, 0_2_01C70A52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected GO Backdoor
Source: Yara match File source: 00000011.00000002.2137078483.00000000039BC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1472, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected GO Backdoor
Source: Yara match File source: 00000011.00000002.2137078483.00000000039BC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1472, type: MEMORYSTR
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1651310 Sample: S7ARUI0TQ6B7LESTTMXNRQZTA7L... Startdate: 28/03/2025 Architecture: WINDOWS Score: 100 39 pki-goog.l.google.com 2->39 41 c.pki.goog 2->41 43 3.238.64.98.in-addr.arpa 2->43 51 Antivirus detection for dropped file 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 5 other signatures 2->57 8 S7ARUI0TQ6B7LESTTMXNRQZTA7LFQEF.exe 6 2->8         started        12 FortectUpdater.exe 5 2->12         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\Temp\teclexg, PE32 8->33 dropped 35 C:\ProgramData\Fortect\tcpvcon.exe, PE32 8->35 dropped 59 Found hidden mapped module (file has been removed from disk) 8->59 61 Maps a DLL or memory area into another process 8->61 63 Switches to a custom stack to bypass stack traces 8->63 14 MSBuild.exe 3 8->14         started        17 tcpvcon.exe 1 2 8->17         started        37 C:\Users\user\AppData\Local\Temp\hbtmoxvlf, PE32 12->37 dropped 65 Found direct / indirect Syscall (likely to bypass EDR) 12->65 19 MSBuild.exe 2 12->19         started        21 tcpvcon.exe 1 12->21         started        signatures6 process7 signatures8 69 Writes to foreign memory regions 14->69 71 Tries to delay execution (extensive OutputDebugStringW loop) 14->71 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->73 75 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 14->75 23 svchost.exe 1 14->23         started        77 Switches to a custom stack to bypass stack traces 17->77 79 Found direct / indirect Syscall (likely to bypass EDR) 17->79 26 conhost.exe 17->26         started        81 Allocates memory in foreign processes 19->81 83 Injects a PE file into a foreign processes 19->83 28 svchost.exe 19->28         started        31 conhost.exe 21->31         started        process9 dnsIp10 45 193.187.172.163, 443, 49695, 49698 ITOS-ASRU Russian Federation 23->45 47 147.45.196.157, 443, 49694, 49697 FREE-NET-ASFREEnetEU Russian Federation 23->47 49 46.8.232.106, 443, 49693, 49696 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics Russian Federation 23->49 67 System process connects to network (likely due to code injection or exploit) 28->67 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
46.8.232.106
 unknown Russian Federation
28917 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics true
193.187.172.163
 unknown Russian Federation
64439 ITOS-ASRU true
147.45.196.157
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.90.172 true
pki-goog.l.google.com 142.250.80.35 true
c.pki.goog unknown unknown
3.238.64.98.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://c.pki.goog/r/r4.crl false
    		high
    https://147.45.196.157:443/ false
      		high
      https://193.187.172.163:443/ true
      • Avira URL Cloud: safe
      		 unknown
      https://46.8.232.106:443/ false
        		high
        http://c.pki.goog/r/gsr1.crl false
          		high