Windows Analysis Report
EUFOvMxM2H.exe

Overview

General Information

Sample name: EUFOvMxM2H.exe
renamed because original name is a hash value
Original sample name: 9e6179c0b9757ea73f1315d3cdbe92a6e4537eb6fe718fcd15290278ee70c183.exe
Analysis ID: 1554428
MD5: a744aa75b90d2623cad73ecc669a29c4
SHA1: 076c458f9f6e964b08e08352d119efc4c729c903
SHA256: 9e6179c0b9757ea73f1315d3cdbe92a6e4537eb6fe718fcd15290278ee70c183
Tags: 4-251-123-83exeuser-JAMESWT_MHT
Infos:

Detection

Meduza Stealer, PureLog Stealer, RedLine, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Meduza Stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
Name Description Attribution Blogpost URLs Link
zgRAT zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Path1\To2\Save444\uh3ex1.exe Avira: detection malicious, Label: HEUR/AGEN.1311038
Found malware configuration
Source: MSBuild.exe.3232.8.memstrmin Malware Configuration Extractor: RedLine {"C2 url": "4.251.123.83:6677"}
Multi AV Scanner detection for dropped file
Source: C:\Path1\To2\Save444\uh3ex1.exe ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Roaming\gdi32.dll ReversingLabs: Detection: 83%
Multi AV Scanner detection for submitted file
Source: EUFOvMxM2H.exe ReversingLabs: Detection: 44%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\gdi32.dll Joe Sandbox ML: detected
Source: C:\Path1\To2\Save444\uh3ex1.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: EUFOvMxM2H.exe Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.7:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.7:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.7:49864 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.7:49865 version: TLS 1.2
Source: EUFOvMxM2H.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_6CA1C108 FindFirstFileExW, 6_2_6CA1C108

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.7:49781 -> 4.251.123.83:6677
Source: Network traffic Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 4.251.123.83:6677 -> 192.168.2.7:49781
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 4.251.123.83:6677
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49781 -> 4.251.123.83:6677
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /Xavieprowel/crispy-palm-tree/releases/download/1/uh3ex1.exe HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /github-production-release-asset-2e65be/882783246/b23a0dba-ce39-4346-b67f-261d78699733?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241112%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241112T135026Z&X-Amz-Expires=300&X-Amz-Signature=2c2918ad1c088c74e424c5e0842a55433a7fe7a314dfeedb12184bfb225b99f5&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Duh3ex1.exe&response-content-type=application%2Foctet-stream HTTP/1.1Host: objects.githubusercontent.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 140.82.121.4 140.82.121.4
Source: Joe Sandbox View IP Address: 185.199.110.133 185.199.110.133
Source: Joe Sandbox View IP Address: 185.199.110.133 185.199.110.133
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LEVEL3US LEVEL3US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: global traffic HTTP traffic detected: GET /Xavieprowel/crispy-palm-tree/releases/download/1/uh3ex1.exe HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /github-production-release-asset-2e65be/882783246/b23a0dba-ce39-4346-b67f-261d78699733?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241112%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241112T135026Z&X-Amz-Expires=300&X-Amz-Signature=2c2918ad1c088c74e424c5e0842a55433a7fe7a314dfeedb12184bfb225b99f5&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Duh3ex1.exe&response-content-type=application%2Foctet-stream HTTP/1.1Host: objects.githubusercontent.comConnection: Keep-Alive
Source: MSBuild.exe, 00000008.00000002.1573933911.00000000016C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldbf equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000008.00000002.1573933911.00000000016C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003396000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: quC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: time.windows.com
Source: global traffic DNS traffic detected: DNS query: github.com
Source: global traffic DNS traffic detected: DNS query: objects.githubusercontent.com
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: EUFOvMxM2H.exe, 00000001.00000002.1478059136.00000000028E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://github.com
Source: EUFOvMxM2H.exe, 00000001.00000002.1478059136.00000000028E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://github.comd
Source: powershell.exe, 00000003.00000002.1427858722.00000000054ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: EUFOvMxM2H.exe, 00000001.00000002.1478059136.0000000002929000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://objects.githubusercontent.com
Source: EUFOvMxM2H.exe, 00000001.00000002.1478059136.0000000002929000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://objects.githubusercontent.comd
Source: powershell.exe, 00000003.00000002.1425859203.00000000045D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: powershell.exe, 00000003.00000002.1425859203.00000000045D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faulth
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: EUFOvMxM2H.exe, 00000001.00000002.1478059136.0000000002861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1425859203.0000000004481000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1576192655.0000000003396000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: powershell.exe, 00000003.00000002.1425859203.00000000045D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003311000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/D
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/example/Field1
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003311000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/example/Field1Response
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/example/Field1ResponseD
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/example/Field2
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003311000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/example/Field2Response
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003396000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/example/Field2ResponseD
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/example/Field3
Source: MSBuild.exe, 00000008.00000002.1576192655.000000000369F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1576192655.0000000003311000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/example/Field3Response
Source: MSBuild.exe, 00000008.00000002.1576192655.000000000369F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/example/Field3ResponseD
Source: powershell.exe, 00000003.00000002.1425859203.00000000045D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: MSBuild.exe, 00000008.00000002.1576192655.000000000369F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.w3.o
Source: MSBuild.exe, 00000008.00000002.1588126546.000000000448E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000003.00000002.1425859203.0000000004481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: MSBuild.exe, 00000008.00000002.1588126546.000000000448E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: MSBuild.exe, 00000008.00000002.1588126546.000000000448E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: MSBuild.exe, 00000008.00000002.1588126546.000000000448E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000003.00000002.1427858722.00000000054ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1427858722.00000000054ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1427858722.00000000054ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/users/
Source: MSBuild.exe, 00000008.00000002.1588126546.000000000448E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: MSBuild.exe, 00000008.00000002.1588126546.000000000448E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MSBuild.exe, 00000008.00000002.1588126546.000000000448E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: EUFOvMxM2H.exe, 00000001.00000002.1478059136.00000000028E0000.00000004.00000800.00020000.00000000.sdmp, EUFOvMxM2H.exe, 00000001.00000002.1478059136.00000000028D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com
Source: powershell.exe, 00000003.00000002.1425859203.00000000045D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: EUFOvMxM2H.exe, 00000001.00000002.1478059136.0000000002861000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Xavieprowel/crispy-palm-tree/releases/download/1/uh3ex1.exe
Source: powershell.exe, 00000003.00000002.1427858722.00000000054ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: EUFOvMxM2H.exe, 00000001.00000002.1478059136.0000000002908000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://objects.githubusercontent.com
Source: EUFOvMxM2H.exe, 00000001.00000002.1478059136.0000000002908000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/882783246/b23a0dba-ce39
Source: MSBuild.exe, 00000008.00000002.1588126546.000000000448E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: MSBuild.exe, 00000008.00000002.1588126546.000000000448E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49960 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.7:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.7:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.7:49864 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.7:49865 version: TLS 1.2
Creates a window with clipboard capturing capabilities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 6.2.uh3ex1.exe.6ca2b000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 8.2.MSBuild.exe.730000.0.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 6.2.uh3ex1.exe.6ca10000.3.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 6.2.uh3ex1.exe.6ca2b000.4.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000006.00000002.1517741953.000000006CA2B000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Detects zgRAT Author: ditekSHen
.NET source code contains very large array initializations
Source: uh3ex1.exe.1.dr, -Module-.cs Large array initialization: _206D_200E_206C_200E_206F_202E_202C_206C_202D_206C_206D_200D_206E_206E_202C_202A_202D_202E_206F_202D_200F_200E_200C_200D_202B_200F_206E_202C_200B_200F_206C_206E_202A_202A_200C_206A_202B_202C_202A_200D_202E: array initializer size 54016
Source: 6.2.uh3ex1.exe.6ca2b000.4.raw.unpack, Strings.cs Large array initialization: Strings: array initializer size 6160
Contains functionality to call native functions
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_6CA13C10 WindowsHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,NtGetContextThread,NtWriteVirtualMemory,NtCreateThreadEx,CloseHandle,CloseHandle, 6_2_6CA13C10
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_6CA136D0 GetModuleHandleW,NtQueryInformationProcess, 6_2_6CA136D0
Detected potential crypto function
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Code function: 1_2_026F0A18 1_2_026F0A18
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Code function: 1_2_026F0EE0 1_2_026F0EE0
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Code function: 1_2_026F1875 1_2_026F1875
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Code function: 1_2_026F0C00 1_2_026F0C00
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Code function: 1_2_026F21B1 1_2_026F21B1
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Code function: 1_2_026F2261 1_2_026F2261
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Code function: 1_2_026F0ED0 1_2_026F0ED0
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Code function: 1_2_026F0F1A 1_2_026F0F1A
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Code function: 1_2_026F0F91 1_2_026F0F91
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Code function: 1_2_026F24E8 1_2_026F24E8
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Code function: 1_2_026F14A1 1_2_026F14A1
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Code function: 1_2_026F1973 1_2_026F1973
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_042DB4A0 3_2_042DB4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_042DB490 3_2_042DB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_08394CF8 3_2_08394CF8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_08393A98 3_2_08393A98
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_6CA13C10 6_2_6CA13C10
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_6CA136D0 6_2_6CA136D0
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_6CA11360 6_2_6CA11360
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_6CA12C30 6_2_6CA12C30
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_6CA11000 6_2_6CA11000
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_6CA16C40 6_2_6CA16C40
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_6CA226B5 6_2_6CA226B5
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF58B0 6_2_00BF58B0
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF4408 6_2_00BF4408
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF5C08 6_2_00BF5C08
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF3BB3 6_2_00BF3BB3
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF39F0 6_2_00BF39F0
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF23E0 6_2_00BF23E0
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF0FC8 6_2_00BF0FC8
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF5158 6_2_00BF5158
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF0EB9 6_2_00BF0EB9
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF3EB9 6_2_00BF3EB9
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF34B0 6_2_00BF34B0
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF0A9B 6_2_00BF0A9B
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF0E90 6_2_00BF0E90
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF2289 6_2_00BF2289
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF20FE 6_2_00BF20FE
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF08FC 6_2_00BF08FC
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF3CFA 6_2_00BF3CFA
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF0CF2 6_2_00BF0CF2
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF22E8 6_2_00BF22E8
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF2CE0 6_2_00BF2CE0
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF1CC7 6_2_00BF1CC7
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF1C3D 6_2_00BF1C3D
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF1E38 6_2_00BF1E38
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF222A 6_2_00BF222A
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF3C1D 6_2_00BF3C1D
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF0A19 6_2_00BF0A19
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF3818 6_2_00BF3818
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF5418 6_2_00BF5418
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF0E14 6_2_00BF0E14
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF0C0B 6_2_00BF0C0B
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF3E0A 6_2_00BF3E0A
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF3808 6_2_00BF3808
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF3E7E 6_2_00BF3E7E
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF3C78 6_2_00BF3C78
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF2A60 6_2_00BF2A60
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF3E55 6_2_00BF3E55
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF0E52 6_2_00BF0E52
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF404F 6_2_00BF404F
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF0C46 6_2_00BF0C46
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF1FA1 6_2_00BF1FA1
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF0BA0 6_2_00BF0BA0
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF3F83 6_2_00BF3F83
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF43F8 6_2_00BF43F8
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF1BF3 6_2_00BF1BF3
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF0BD4 6_2_00BF0BD4
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF09D0 6_2_00BF09D0
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF0DC5 6_2_00BF0DC5
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF0B38 6_2_00BF0B38
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF4138 6_2_00BF4138
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF0F22 6_2_00BF0F22
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF1B15 6_2_00BF1B15
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF3F07 6_2_00BF3F07
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF0979 6_2_00BF0979
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF3D79 6_2_00BF3D79
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF0D73 6_2_00BF0D73
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF0B6C 6_2_00BF0B6C
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF2160 6_2_00BF2160
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF5149 6_2_00BF5149
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF0945 6_2_00BF0945
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_00BF3D43 6_2_00BF3D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_014B7660 8_2_014B7660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_014B0869 8_2_014B0869
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_014B0878 8_2_014B0878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_014B7652 8_2_014B7652
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_014B7660 8_2_014B7660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_031D1A70 8_2_031D1A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_031D1A60 8_2_031D1A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_031D10B0 8_2_031D10B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_075F6AB8 8_2_075F6AB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_075FD910 8_2_075FD910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_075F48F8 8_2_075F48F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_075F1E50 8_2_075F1E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_075F1E4E 8_2_075F1E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_075F9C28 8_2_075F9C28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_075F1258 8_2_075F1258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_075F1249 8_2_075F1249
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_075F8940 8_2_075F8940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_075F5138 8_2_075F5138
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_075F48E8 8_2_075F48E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_076731C1 8_2_076731C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_07676FE8 8_2_07676FE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0767AFF0 8_2_0767AFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_07676CC8 8_2_07676CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0767D9C0 8_2_0767D9C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_076799C8 8_2_076799C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0767B509 8_2_0767B509
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0767B518 8_2_0767B518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_07677E08 8_2_07677E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_07676B3B 8_2_07676B3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0767D9BF 8_2_0767D9BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_07697588 8_2_07697588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0769C4A8 8_2_0769C4A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0769A288 8_2_0769A288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_07690040 8_2_07690040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_07697FD8 8_2_07697FD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0769EEC8 8_2_0769EEC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0769DA08 8_2_0769DA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_076999D0 8_2_076999D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_07691578 8_2_07691578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_07691588 8_2_07691588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_07697587 8_2_07697587
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0769B128 8_2_0769B128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_07695800 8_2_07695800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_07695810 8_2_07695810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_076A0540 8_2_076A0540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_076AB478 8_2_076AB478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_076AECE8 8_2_076AECE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_076A7378 8_2_076A7378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_076A7A58 8_2_076A7A58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_076AB468 8_2_076AB468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_076A5278 8_2_076A5278
Found potential string decryption / allocating functions
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: String function: 6CA17C10 appears 33 times
Sample file is different than original file name gathered from version info
Source: EUFOvMxM2H.exe, 00000001.00000002.1478059136.0000000002983000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUlyssesLiamQuinn.dqH vs EUFOvMxM2H.exe
Source: EUFOvMxM2H.exe, 00000001.00000002.1480719454.0000000005AF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUlyssesLiamQuinn.dqH vs EUFOvMxM2H.exe
Source: EUFOvMxM2H.exe, 00000001.00000000.1372066275.0000000000538000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameConsoleApp2.exe8 vs EUFOvMxM2H.exe
Source: EUFOvMxM2H.exe, 00000001.00000002.1469327763.00000000009DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs EUFOvMxM2H.exe
Source: EUFOvMxM2H.exe, 00000001.00000002.1478059136.0000000002900000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUlyssesLiamQuinn.dqH vs EUFOvMxM2H.exe
Source: EUFOvMxM2H.exe Binary or memory string: OriginalFilenameConsoleApp2.exe8 vs EUFOvMxM2H.exe
Yara signature match
Source: 6.2.uh3ex1.exe.6ca2b000.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 8.2.MSBuild.exe.730000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 6.2.uh3ex1.exe.6ca10000.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 6.2.uh3ex1.exe.6ca2b000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000006.00000002.1517741953.000000006CA2B000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: uh3ex1.exe.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 6.2.uh3ex1.exe.6ca2b000.4.raw.unpack, Strings.cs Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.uh3ex1.exe.6ca2b000.4.raw.unpack, Class4.cs Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.uh3ex1.exe.6ca2b000.4.raw.unpack, Class4.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@11/11@3/3
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EUFOvMxM2H.exe.log Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8116:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ucddx1sg.kba.ps1 Jump to behavior
Source: EUFOvMxM2H.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: EUFOvMxM2H.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: EUFOvMxM2H.exe ReversingLabs: Detection: 44%
Source: unknown Process created: C:\Users\user\Desktop\EUFOvMxM2H.exe "C:\Users\user\Desktop\EUFOvMxM2H.exe"
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Path1\To2\Save444'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process created: C:\Path1\To2\Save444\uh3ex1.exe "C:\Path1\To2\Save444\uh3ex1.exe"
Source: C:\Path1\To2\Save444\uh3ex1.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Path1\To2\Save444\uh3ex1.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Path1\To2\Save444' Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process created: C:\Path1\To2\Save444\uh3ex1.exe "C:\Path1\To2\Save444\uh3ex1.exe" Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Section loaded: version.dll Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: EUFOvMxM2H.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: EUFOvMxM2H.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 6.2.uh3ex1.exe.6ca2b000.4.raw.unpack, Class4.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: uh3ex1.exe.1.dr, -Module-.cs .Net Code: _206D_200F_202A_200F_206D_206F_206D_200D_206C_200B_202E_206A_206B_202A_206C_202B_200D_206A_200B_202E_202B_206D_200C_202A_206D_202B_202A_206C_206E_206E_206B_206C_200B_200E_206D_200D_206D_202C_200E_200C_202E System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_042D634D push eax; ret 3_2_042D6361
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_042D2C5C push 04B8072Fh; retf 3_2_042D2CFE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_042D2CA5 push 04B8072Fh; retf 3_2_042D2CFE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_07224E90 pushad ; retf 3_2_07225019
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_07225000 pushad ; retf 3_2_07225019
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_083936D7 push ebx; iretd 3_2_083936DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_083973B8 push eax; iretd 3_2_083973B9
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_6CA22DE4 push ecx; ret 6_2_6CA22DF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0767FBE8 pushad ; ret 8_2_0767FBF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_07676A01 push FFFFFF8Bh; iretd 8_2_07676A03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_07676A94 push FFFFFF8Bh; iretd 8_2_07676AA2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0769C452 push 9C0749C3h; ret 8_2_0769C45D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0769D4A0 pushfd ; retf 8_2_0769D4A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0769ADB0 pushad ; ret 8_2_0769ADB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0769FC58 pushfd ; retf 8_2_0769FCC5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0769FCB8 pushfd ; retf 8_2_0769FCC5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_076A87C0 push FFFFFFCBh; retf 8_2_076A87CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_076A979B push ss; retf 8_2_076A97A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_076A3980 pushad ; ret 8_2_076A3981
Source: uh3ex1.exe.1.dr Static PE information: section name: .text entropy: 7.8298536407435835
Drops PE files
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe File created: C:\Path1\To2\Save444\uh3ex1.exe Jump to dropped file
Source: C:\Path1\To2\Save444\uh3ex1.exe File created: C:\Users\user\AppData\Roaming\gdi32.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: uh3ex1.exe PID: 8108, type: MEMORYSTR
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003311000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Memory allocated: 2650000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Memory allocated: 2860000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Memory allocated: 2650000 memory reserve | memory write watch Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Memory allocated: BB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Memory allocated: 26C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Memory allocated: 2510000 memory reserve | memory write watch Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Memory allocated: 4D20000 memory reserve | memory write watch Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Memory allocated: 5D20000 memory reserve | memory write watch Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Memory allocated: 5E50000 memory reserve | memory write watch Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Memory allocated: 6E50000 memory reserve | memory write watch Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Memory allocated: 72A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Memory allocated: 82A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 1490000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 3310000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 3030000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 599219 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 598672 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 598561 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 598450 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Window / User API: threadDelayed 364 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Window / User API: threadDelayed 2389 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6224 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3407 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 2428 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 2020 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe TID: 8076 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe TID: 8076 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe TID: 8076 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe TID: 8076 Thread sleep time: -599765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe TID: 8076 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe TID: 8076 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe TID: 8076 Thread sleep time: -599437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe TID: 8076 Thread sleep time: -599328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe TID: 8076 Thread sleep time: -599219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe TID: 8076 Thread sleep time: -599109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe TID: 8076 Thread sleep time: -599000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe TID: 8076 Thread sleep time: -598890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe TID: 8076 Thread sleep time: -598781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe TID: 8076 Thread sleep time: -598672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe TID: 8076 Thread sleep time: -598561s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe TID: 8076 Thread sleep time: -598450s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe TID: 8028 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe TID: 7792 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7888 Thread sleep count: 6224 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7888 Thread sleep count: 3407 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7936 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe TID: 8160 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4036 Thread sleep time: -17524406870024063s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7224 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_6CA1C108 FindFirstFileExW, 6_2_6CA1C108
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 599219 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 598672 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 598561 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 598450 Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492231s
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: EUFOvMxM2H.exe, 00000001.00000002.1480719454.0000000005AF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696492231f
Source: EUFOvMxM2H.exe, 00000001.00000002.1469327763.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1595864013.0000000006677000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696492231
Source: EUFOvMxM2H.exe, 00000001.00000002.1480719454.0000000005AF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696492231j
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003311000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696492231o
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: MSBuild.exe, 00000008.00000002.1588126546.0000000004425000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0767E3E0 LdrLoadDll, 8_2_0767E3E0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_6CA17A9A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6CA17A9A
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_6CA1D82B GetProcessHeap, 6_2_6CA1D82B
Enables debug privileges
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_6CA175C1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_6CA175C1
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_6CA17A9A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6CA17A9A
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_6CA1BA57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6CA1BA57
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Path1\To2\Save444'
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Path1\To2\Save444' Jump to behavior
Allocates memory in foreign processes
Source: C:\Path1\To2\Save444\uh3ex1.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 730000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Path1\To2\Save444\uh3ex1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 730000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Path1\To2\Save444\uh3ex1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 730000 Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 732000 Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 77E000 Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7EA000 Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 732000 Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 77E000 Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7EA000 Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 11C9008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Path1\To2\Save444' Jump to behavior
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Process created: C:\Path1\To2\Save444\uh3ex1.exe "C:\Path1\To2\Save444\uh3ex1.exe" Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_6CA17C58 cpuid 6_2_6CA17C58
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Queries volume information: C:\Users\user\Desktop\EUFOvMxM2H.exe VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Queries volume information: C:\Path1\To2\Save444\uh3ex1.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Path1\To2\Save444\uh3ex1.exe Code function: 6_2_6CA176E3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 6_2_6CA176E3
Source: C:\Users\user\Desktop\EUFOvMxM2H.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: MSBuild.exe, 00000008.00000002.1595626564.00000000065F4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1573933911.00000000016FB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1604178090.0000000007EA2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected Meduza Stealer
Source: Yara match File source: 00000008.00000002.1576192655.0000000003396000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 3232, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 6.2.uh3ex1.exe.6ca2b000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.MSBuild.exe.730000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.uh3ex1.exe.6ca10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.uh3ex1.exe.6ca2b000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.1517741953.000000006CA2B000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1571472188.0000000000732000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 6.2.uh3ex1.exe.6ca2b000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.MSBuild.exe.730000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.uh3ex1.exe.6ca10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.uh3ex1.exe.6ca2b000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.1517741953.000000006CA2B000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1571472188.0000000000732000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 3232, type: MEMORYSTR
Yara detected zgRAT
Source: Yara match File source: 6.2.uh3ex1.exe.6ca2b000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.MSBuild.exe.730000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.uh3ex1.exe.6ca10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.uh3ex1.exe.6ca2b000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.1517741953.000000006CA2B000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003396000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Electrum
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003396000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ElectronCash
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003396000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: com.liberty.jaxx
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003396000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Exodus
Source: MSBuild.exe, 00000008.00000002.1576192655.0000000003396000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Ethereum
Source: powershell.exe, 00000003.00000002.1431136671.00000000072E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: sqlcolumnencryptionkeystoreprovider
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\atomic\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Guarda\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1576192655.0000000003396000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 3232, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Meduza Stealer
Source: Yara match File source: 00000008.00000002.1576192655.0000000003396000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 3232, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 6.2.uh3ex1.exe.6ca2b000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.MSBuild.exe.730000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.uh3ex1.exe.6ca10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.uh3ex1.exe.6ca2b000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.1517741953.000000006CA2B000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1571472188.0000000000732000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 6.2.uh3ex1.exe.6ca2b000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.MSBuild.exe.730000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.uh3ex1.exe.6ca10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.uh3ex1.exe.6ca2b000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.1517741953.000000006CA2B000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1576192655.0000000003381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1571472188.0000000000732000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 3232, type: MEMORYSTR
Yara detected zgRAT
Source: Yara match File source: 6.2.uh3ex1.exe.6ca2b000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.MSBuild.exe.730000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.uh3ex1.exe.6ca10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.uh3ex1.exe.6ca2b000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.1517741953.000000006CA2B000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1554428 Sample: EUFOvMxM2H.exe Startdate: 12/11/2024 Architecture: WINDOWS Score: 100 37 time.windows.com 2->37 39 shed.dual-low.s-part-0032.t-0009.t-msedge.net 2->39 41 5 other IPs or domains 2->41 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 15 other signatures 2->55 8 EUFOvMxM2H.exe 15 9 2->8         started        signatures3 process4 dnsIp5 45 github.com 140.82.121.4, 443, 49739 GITHUBUS United States 8->45 47 objects.githubusercontent.com 185.199.110.133, 443, 49748 FASTLYUS Netherlands 8->47 31 C:\Path1\To2\Save444\uh3ex1.exe, PE32 8->31 dropped 33 C:\Users\user\AppData\...UFOvMxM2H.exe.log, CSV 8->33 dropped 65 Adds a directory exclusion to Windows Defender 8->65 13 uh3ex1.exe 3 8->13         started        17 powershell.exe 23 8->17         started        19 conhost.exe 8->19         started        file6 signatures7 process8 file9 35 C:\Users\user\AppData\Roaming\gdi32.dll, PE32 13->35 dropped 67 Antivirus detection for dropped file 13->67 69 Multi AV Scanner detection for dropped file 13->69 71 Machine Learning detection for dropped file 13->71 77 3 other signatures 13->77 21 MSBuild.exe 4 13->21         started        25 conhost.exe 13->25         started        73 Found many strings related to Crypto-Wallets (likely being stolen) 17->73 75 Loading BitLocker PowerShell Module 17->75 27 WmiPrvSE.exe 17->27         started        29 conhost.exe 17->29         started        signatures10 process11 dnsIp12 43 4.251.123.83, 49781, 6677 LEVEL3US United States 21->43 57 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->57 59 Found many strings related to Crypto-Wallets (likely being stolen) 21->59 61 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->61 63 3 other signatures 21->63 signatures13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
140.82.121.4
 github.com United States
36459 GITHUBUS false
185.199.110.133
 objects.githubusercontent.com Netherlands
54113 FASTLYUS false
4.251.123.83
 unknown United States
3356 LEVEL3US true

Contacted Domains

Name IP Active
github.com 140.82.121.4 true
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 84.201.210.39 true
objects.githubusercontent.com 185.199.110.133 true
s-part-0032.t-0009.t-msedge.net 13.107.246.60 true
time.windows.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://github.com/Xavieprowel/crispy-palm-tree/releases/download/1/uh3ex1.exe false
    		high