Windows Analysis Report
doc1.exe

Overview

General Information

Sample name: doc1.exe
Analysis ID: 1500036
MD5: fddd99d918c32a807cd1761c519b086b
SHA1: 8cf7e4c454f20d2ab851bb6e18a4250b7af4157c
SHA256: 5cd8e28712872382cacac0d338a4d041e291b89d41a4daf69eabefe7ec46f920
Tags: exeSnakeKeylogger
Infos:

Detection

Clipboard Hijacker, Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected Snake Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suspicious execution chain found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sendxbacklog@zulpine.shop", "Password": "dkA6kDAnLHNg", "Host": "zulpine.shop", "Port": "587", "Version": "5.1"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\bosotkm.exe ReversingLabs: Detection: 52%
Multi AV Scanner detection for submitted file
Source: doc1.exe ReversingLabs: Detection: 52%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: doc1.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: doc1.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49717 version: TLS 1.0
Source: unknown HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49726 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49743 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49758 version: TLS 1.0
Source: unknown HTTPS traffic detected: 20.190.159.73:443 -> 192.168.2.6:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.190.159.73:443 -> 192.168.2.6:49738 version: TLS 1.2
Source: doc1.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2864210130.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDBJ source: MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2558663468.00000000014CC000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb|) source: MSBuild.exe, 00000029.00000002.3038923676.00000000013E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2558663468.00000000014CC000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2864210130.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\MSBuild.pdbpdbild.pdbH source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\MSBuild.pdbpdbild.pdbS source: MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: doc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.0000000004269000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2864210130.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038923676.00000000013E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: doc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.0000000004269000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb\dp`d source: WERF2AF.tmp.dmp.24.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: inaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb= source: MSBuild.exe, 00000023.00000002.2865138161.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbH source: MSBuild.exe, 00000016.00000002.2558663468.00000000014CC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbYQ source: MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2458450033.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2562731419.000000000154D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2555966193.0000000000FD8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700081075.00000000006F8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2863825564.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038923676.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3036386294.0000000000F58000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbs source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb((^ source: MSBuild.exe, 00000016.00000002.2558663468.00000000014E2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb` source: WERC3B0.tmp.dmp.15.dr
Source: Binary string: \??\C:\Windows\MSBuild.pdb,) source: MSBuild.exe, 00000029.00000002.3038923676.00000000013E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\MSBuild.pdbf source: MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbL} source: MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDB source: MSBuild.exe, 00000023.00000002.2865138161.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbL08w# source: WERF2AF.tmp.dmp.24.dr
Source: Binary string: mscorlib.pdb7 source: WERABFD.tmp.dmp.43.dr
Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdbH source: MSBuild.exe, 00000016.00000002.2558663468.0000000001468000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: doc1.exe, 00000001.00000002.2293545434.0000000002BB8000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2301644426.0000000003A51000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2304587014.00000000058C0000.00000004.08000000.00040000.00000000.sdmp, doc1.exe, 00000001.00000002.2301644426.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2514918808.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2593909614.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2615450393.00000000043AB000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\MSBuild.pdbV source: MSBuild.exe, 00000023.00000002.2864210130.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbw source: MSBuild.exe, 00000023.00000002.2864210130.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2865138161.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: System.Core.pdbMSBuild.exe source: WERC3B0.tmp.dmp.15.dr
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbS source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdb6 source: WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb$ source: MSBuild.exe, 00000023.00000002.2864210130.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDB089 source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb! source: MSBuild.exe, 00000016.00000002.2558663468.0000000001468000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: MSBuild.exe, 00000016.00000002.2558663468.00000000014CC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: ?pnC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2555966193.0000000000FD8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700081075.00000000006F8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2863825564.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3036386294.0000000000F58000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb" source: MSBuild.exe, 00000023.00000002.2865138161.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Drawing.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb3 source: MSBuild.exe, 00000029.00000002.3038113235.0000000001331000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb4 source: WERABFD.tmp.dmp.43.dr, WER2A88.tmp.dmp.31.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb!z source: MSBuild.exe, 00000023.00000002.2864210130.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\MSBuild.pdbV source: MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\MSBuild.pdbS source: MSBuild.exe, 00000023.00000002.2864210130.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbl)B source: MSBuild.exe, 00000029.00000002.3038923676.00000000013E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Accessibility.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: System.pdbxW source: WERF2AF.tmp.dmp.24.dr
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb== source: MSBuild.exe, 0000000C.00000002.2457220076.0000000000F43000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbJ@2 source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS# source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: System.Core.ni.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: osymbols\exe\MSBuild.pdb source: MSBuild.exe, 0000001D.00000002.2700081075.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Drawing.pdb4 source: WERC3B0.tmp.dmp.15.dr
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbsers\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:r source: MSBuild.exe, 00000029.00000002.3038923676.00000000013FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Accessibility.pdbH source: WER69E3.tmp.dmp.37.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbeh source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E71000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038113235.0000000001331000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: HPdn0C:\Windows\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2555966193.0000000000FD8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700081075.00000000006F8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2863825564.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3036386294.0000000000F58000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: MSBuild.exe, 00000016.00000002.2558663468.00000000014CC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDB89 source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: @pn.pdb5w source: MSBuild.exe, 00000023.00000002.2863825564.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: System.ni.pdbRSDS source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: doc1.exe, 00000001.00000002.2293545434.0000000002BB8000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2301644426.0000000003A51000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2304587014.00000000058C0000.00000004.08000000.00040000.00000000.sdmp, doc1.exe, 00000001.00000002.2301644426.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2514918808.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2593909614.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2615450393.00000000043AB000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb~x+h5 source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb089 source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\MSBuild.pdb.x source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: mscorlib.pdbL}f source: MSBuild.exe, 00000016.00000002.2558663468.00000000014CC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\MSBuild.pdbpdbild.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2864210130.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.pdbH source: WER2A88.tmp.dmp.31.dr
Source: Binary string: System.Core.pdb`d source: WERABFD.tmp.dmp.43.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: symbols\exe\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2555966193.0000000000FD8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2863825564.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3036386294.0000000000F58000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: System.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: inaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbll source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Drawing.pdbt source: WERF2AF.tmp.dmp.24.dr
Source: Binary string: System.Windows.Forms.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: System.Drawing.pdbL08w# source: WERABFD.tmp.dmp.43.dr
Source: Binary string: \??\C:\Windows\exe\MSBuild.pdb;h source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E71000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2558663468.0000000001468000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038113235.0000000001331000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\MSBuild.pdbB@* source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: @pn.pdb source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2555966193.0000000000FD8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700081075.00000000006F8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3036386294.0000000000F58000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbn source: MSBuild.exe, 00000023.00000002.2864210130.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb*p source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb0q source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.pdbhWH source: WERF2AF.tmp.dmp.24.dr
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb* source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbd5 source: MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\doc1.exe Code function: 4x nop then jmp 057FABF0h 1_2_057FAB38
Source: C:\Users\user\Desktop\doc1.exe Code function: 4x nop then jmp 057FABF0h 1_2_057FAB33
Source: C:\Users\user\Desktop\doc1.exe Code function: 4x nop then jmp 057F3F5Ch 1_2_057F3BD8
Source: C:\Users\user\Desktop\doc1.exe Code function: 4x nop then jmp 057F3F5Ch 1_2_057F3BC8
Source: C:\Users\user\Desktop\doc1.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 1_2_057FF3A0
Source: C:\Users\user\Desktop\doc1.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 1_2_057FF398
Source: C:\Users\user\Desktop\doc1.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 1_2_0580D2D8
Source: C:\Users\user\Desktop\doc1.exe Code function: 4x nop then jmp 0581115Fh 1_2_058110E9
Source: C:\Users\user\Desktop\doc1.exe Code function: 4x nop then jmp 0581115Fh 1_2_058110F8
Source: C:\Users\user\Desktop\doc1.exe Code function: 4x nop then jmp 0581115Fh 1_2_05811339
Source: C:\Users\user\Desktop\doc1.exe Code function: 4x nop then jmp 0581115Fh 1_2_058112A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 00DDE62Fh 4_2_00DDE441
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 00DDEFB9h 4_2_00DDE441
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 00DDFA49h 4_2_00DDF788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 4_2_00DDE015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 4_2_00DDD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 4_2_00DDDE33
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 4x nop then jmp 05E33F5Ch 11_2_05E33BC8
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 4x nop then jmp 05E33F5Ch 11_2_05E33BD8
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 11_2_05E3F3A0
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 11_2_05E3F398
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 4x nop then jmp 05E3ABF0h 11_2_05E3AB32
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 4x nop then jmp 05E3ABF0h 11_2_05E3AB38
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 11_2_05E4D2D8
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 4x nop then jmp 05E5115Fh 11_2_05E510E9
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 4x nop then jmp 05E5115Fh 11_2_05E510F8
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 4x nop then jmp 05E5115Fh 11_2_05E51339
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 4x nop then jmp 05E5115Fh 11_2_05E512A8
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 4x nop then jmp 060BABF0h 18_2_060BAB38
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 4x nop then jmp 060BABF0h 18_2_060BAB33
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 18_2_060BF398
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 18_2_060BF3A0
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 4x nop then jmp 060B3F5Ch 18_2_060B3BC8
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 4x nop then jmp 060B3F5Ch 18_2_060B3BD8
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 18_2_060CD2D8
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 4x nop then jmp 060D115Fh 18_2_060D12A8
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 4x nop then jmp 060D115Fh 18_2_060D1339
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 4x nop then jmp 060D115Fh 18_2_060D10E9
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 4x nop then jmp 060D115Fh 18_2_060D10F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 02A0FA39h 21_2_02A0F778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 02A0E61Fh 21_2_02A0E431
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 02A0EFA9h 21_2_02A0E431
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 21_2_02A0D7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0577D469h 21_2_0577D1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0577FB81h 21_2_0577F8D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05771011h 21_2_05770D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0577D011h 21_2_0577CD68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 057715D8h 21_2_05771506
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0577BEB1h 21_2_0577BC08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0577C761h 21_2_0577C4B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05770751h 21_2_057704A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0577F729h 21_2_0577F480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0577EA21h 21_2_0577E778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0577B1A9h 21_2_0577AF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0577BA59h 21_2_0577B7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0577D8C1h 21_2_0577D618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0577E171h 21_2_0577DEC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0577CBB9h 21_2_0577C910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05770BB1h 21_2_05770900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 057715D8h 21_2_057711C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 057715D8h 21_2_057711B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0577C309h 21_2_0577C060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 057702F1h 21_2_05770040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0577F2D1h 21_2_0577F028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0577B601h 21_2_0577B358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0577E5C9h 21_2_0577E320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0577EE79h 21_2_0577EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0577DD19h 21_2_0577DA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 066576F9h 21_2_06657450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 066588EDh 21_2_066585B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 21_2_06653676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06656119h 21_2_06655E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 066569C9h 21_2_06656720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 066572A2h 21_2_06656FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06650741h 21_2_06650498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06657FA9h 21_2_06657D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06655869h 21_2_066555C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06655CC1h 21_2_06655A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06656571h 21_2_066562C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 21_2_06653360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06656E21h 21_2_06656B78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 21_2_06653350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 066502E9h 21_2_06650040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06650B99h 21_2_066508F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06657B51h 21_2_066578A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 066553E9h 21_2_06655140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06658401h 21_2_06658158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 013DE61Fh 26_2_013DE431
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 013DEFA9h 26_2_013DE431
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 013DFA39h 26_2_013DF778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 26_2_013DE005
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 26_2_013DD7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 26_2_013DDE23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06881011h 26_2_06880D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0688DD19h 26_2_0688DA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068815D8h 26_2_068811C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0688E171h 26_2_0688DEC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0688D8C1h 26_2_0688D618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0688BA59h 26_2_0688B7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0688B1A9h 26_2_0688AF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0688EA21h 26_2_0688E778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0688F729h 26_2_0688F480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06880751h 26_2_068804A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0688C761h 26_2_0688C4B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0688BEB1h 26_2_0688BC08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068815D8h 26_2_06881506
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0688D011h 26_2_0688CD68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0688EE79h 26_2_0688EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0688E5C9h 26_2_0688E320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0688B601h 26_2_0688B358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0688FB81h 26_2_0688F8D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0688F2D1h 26_2_0688F028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068802F1h 26_2_06880040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0688C309h 26_2_0688C060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0688D469h 26_2_0688D1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 06880BB1h 26_2_06880900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0688CBB9h 26_2_0688C910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068B88EDh 26_2_068B85B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068B6119h 26_2_068B5E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068B72A2h 26_2_068B6FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068B69C9h 26_2_068B6720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068B0741h 26_2_068B0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068B76F9h 26_2_068B7450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068B5869h 26_2_068B55C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068B7FA9h 26_2_068B7D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068B6571h 26_2_068B62C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068B5CC1h 26_2_068B5A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 26_2_068B3350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 26_2_068B3360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068B6E21h 26_2_068B6B78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068B7B51h 26_2_068B78A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068B0B99h 26_2_068B08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068B02E9h 26_2_068B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068B53E9h 26_2_068B5140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 068B8401h 26_2_068B8158

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\wscript.exe Network Connect: 144.91.79.54 80 Jump to behavior
Yara detected Generic Downloader
Source: Yara match File source: 11.2.bosotkm.exe.417bdd0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.doc1.exe.3c2d068.4.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 158.101.44.242 158.101.44.242
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CONTABODE CONTABODE
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49727 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49761 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49750 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49723 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49716 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49746 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49742 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49756 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49721 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49725 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49736 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49728 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49760 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49751 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49766 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49755 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49745 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49763 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49764 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49759 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49768 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49774 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49747 -> 188.114.97.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /2508/s HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET /2508/r HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
Source: global traffic HTTP traffic detected: GET /2508/ThXb4tU1jp1fQQFsQkY1.txt HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
Source: global traffic HTTP traffic detected: GET /2508/v HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
Source: global traffic HTTP traffic detected: GET /2508/file HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49717 version: TLS 1.0
Source: unknown HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49726 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49743 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49758 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 144.91.79.54
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /2508/s HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET /2508/r HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
Source: global traffic HTTP traffic detected: GET /2508/ThXb4tU1jp1fQQFsQkY1.txt HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
Source: global traffic HTTP traffic detected: GET /2508/v HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
Source: global traffic HTTP traffic detected: GET /2508/file HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: wscript.exe, 00000003.00000003.2323886447.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2303011239.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327895356.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2310964537.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324767927.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2325391333.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324540081.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329453156.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54/
Source: wscript.exe, 00000003.00000003.2323886447.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327895356.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324767927.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2325391333.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324540081.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329453156.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54/2508/
Source: wscript.exe, 00000003.00000003.2323886447.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327895356.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2310964537.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324767927.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324272341.0000000005761000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2330493341.000000000576E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2325391333.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324540081.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329453156.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2311543486.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2310964537.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329957807.00000000030F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54/2508/ThXb4tU1jp1fQQFsQkY1.txt
Source: wscript.exe, 00000003.00000003.2310964537.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54/2508/ThXb4tU1jp1fQQFsQkY1.txtb
Source: wscript.exe, 00000003.00000003.2327596611.0000000000B92000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324169500.0000000000B85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54/2508/file
Source: wscript.exe, 00000003.00000003.2328017986.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2323812806.0000000000C2C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54/2508/file0F?
Source: wscript.exe, 00000003.00000003.2328017986.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2323812806.0000000000C2C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54/2508/filewF
Source: wscript.exe, 00000003.00000003.2323886447.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327895356.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2310964537.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327470587.00000000051A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324767927.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2325391333.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324540081.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329453156.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2310964537.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54/2508/r
Source: wscript.exe, 00000003.00000003.2327470587.00000000051A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2303245791.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2303011239.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54/2508/s
Source: wscript.exe, 00000003.00000003.2323886447.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327347198.00000000030F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327895356.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327470587.00000000051A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324767927.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2321571179.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329992171.00000000030F5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2325391333.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324540081.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329453156.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327265308.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2313721636.00000000030F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324169500.0000000000B85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54/2508/v
Source: wscript.exe, 00000003.00000003.2303011239.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2310964537.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54/4
Source: wscript.exe, 00000003.00000003.2310964537.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54/;
Source: wscript.exe, 00000003.00000003.2303011239.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54/M
Source: wscript.exe, 00000003.00000003.2303245791.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2303011239.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.91.79.54:80/2508/s
Source: InstallUtil.exe, 00000004.00000002.3461729638.0000000002B78000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B6B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D52000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FB6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002F16000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FA9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.000000000300D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: InstallUtil.exe, 00000004.00000002.3461729638.0000000002B78000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B6B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B93000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002CDA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002C8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D52000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: InstallUtil.exe, 00000004.00000002.3461729638.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002E51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: doc1.exe, 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2301644426.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2293545434.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3443050167.000000000041B000.00000040.00000400.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2514918808.0000000003278000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2615450393.000000000442B000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2593909614.0000000003461000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: doc1.exe, bosotkm.exe.1.dr String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: doc1.exe, bosotkm.exe.1.dr String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: doc1.exe, bosotkm.exe.1.dr String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: doc1.exe, bosotkm.exe.1.dr String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: svchost.exe, 00000035.00000002.3463466912.000001E75A800000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: qmgr.db.53.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.53.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
Source: qmgr.db.53.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.53.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.53.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.53.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.53.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.53.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: doc1.exe, bosotkm.exe.1.dr String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: doc1.exe, bosotkm.exe.1.dr String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: doc1.exe, bosotkm.exe.1.dr String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: doc1.exe, bosotkm.exe.1.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: InstallUtil.exe, 00000004.00000002.3461729638.0000000002B78000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B6B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D52000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FB6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FA9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.000000000300D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002F2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: wscript.exe, 00000003.00000003.2323886447.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324767927.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329661615.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2326342412.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2328065250.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324540081.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.microso
Source: doc1.exe, 00000001.00000002.2293545434.0000000002BB8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2514918808.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2593909614.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002E51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: doc1.exe, bosotkm.exe.1.dr String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: doc1.exe, bosotkm.exe.1.dr String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: doc1.exe, bosotkm.exe.1.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: qmgr.db.53.dr String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000035.00000003.3336685881.000001E75A600000.00000004.00000800.00020000.00000000.sdmp, edb.log.53.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: doc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.0000000004269000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: doc1.exe, 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: doc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.0000000004269000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: InstallUtil.exe, 00000004.00000002.3461729638.0000000002B78000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B6B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002CDA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D52000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002F59000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FB6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002F16000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FFF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: doc1.exe, 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2301644426.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2293545434.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3443050167.000000000041B000.00000040.00000400.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2514918808.0000000003278000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2615450393.000000000442B000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2593909614.0000000003461000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002F16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: InstallUtil.exe, 0000001A.00000002.3460956266.000000000300D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: InstallUtil.exe, 00000004.00000002.3461729638.0000000002B78000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B6B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002CDA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D52000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002F59000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FB6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FA9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.000000000300D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: doc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.0000000004269000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: doc1.exe, 00000001.00000002.2293545434.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.0000000004269000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2514918808.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2593909614.00000000032E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: doc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.0000000004269000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: doc1.exe, bosotkm.exe.1.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 20.190.159.73:443 -> 192.168.2.6:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.190.159.73:443 -> 192.168.2.6:49738 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_3508.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_2188.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_6756.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_2548.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_2744.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_4568.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 1.2.doc1.exe.3c2d068.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.doc1.exe.3c2d068.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.doc1.exe.3c2d068.4.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.doc1.exe.3c2d068.4.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 11.2.bosotkm.exe.417bdd0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.bosotkm.exe.417bdd0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.bosotkm.exe.417bdd0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.bosotkm.exe.417bdd0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.doc1.exe.3c2d068.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.doc1.exe.3c2d068.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.doc1.exe.3c2d068.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.doc1.exe.3c2d068.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 11.2.bosotkm.exe.417bdd0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.bosotkm.exe.417bdd0.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.bosotkm.exe.417bdd0.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.bosotkm.exe.417bdd0.1.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000001.00000002.2301644426.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.2301644426.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000012.00000002.2615450393.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000012.00000002.2615450393.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000012.00000002.2593909614.0000000003461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000001A.00000002.3442953774.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000001.00000002.2293545434.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.3443050167.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000B.00000002.2514918808.0000000003278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: doc1.exe PID: 6400, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: doc1.exe PID: 6400, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: InstallUtil.exe PID: 5392, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: bosotkm.exe PID: 1864, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: bosotkm.exe PID: 1864, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: bosotkm.exe PID: 1292, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: bosotkm.exe PID: 1292, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: InstallUtil.exe PID: 1596, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: Server XML HTTP 6.0 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a0b-f192-11d4-a65f-0040963251e5} Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_057FD5A0 NtResumeThread, 1_2_057FD5A0
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_057FC0A8 NtProtectVirtualMemory, 1_2_057FC0A8
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_057FD598 NtResumeThread, 1_2_057FD598
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_057FD68F NtResumeThread, 1_2_057FD68F
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_057FC1C8 NtProtectVirtualMemory, 1_2_057FC1C8
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_057FC0A0 NtProtectVirtualMemory, 1_2_057FC0A0
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E3D5A0 NtResumeThread, 11_2_05E3D5A0
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E3C0A8 NtProtectVirtualMemory, 11_2_05E3C0A8
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E3D598 NtResumeThread, 11_2_05E3D598
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E3D550 NtResumeThread, 11_2_05E3D550
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E3C0A0 NtProtectVirtualMemory, 11_2_05E3C0A0
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060BD5A0 NtResumeThread, 18_2_060BD5A0
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060BC0A8 NtProtectVirtualMemory, 18_2_060BC0A8
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060BD598 NtResumeThread, 18_2_060BD598
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060BC0A0 NtProtectVirtualMemory, 18_2_060BC0A0
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Detected potential crypto function
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_01066332 1_2_01066332
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_01066340 1_2_01066340
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_010658E1 1_2_010658E1
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_010658F0 1_2_010658F0
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_01069AC8 1_2_01069AC8
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_0576EC38 1_2_0576EC38
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_05766988 1_2_05766988
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_0576C5B6 1_2_0576C5B6
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_057654A0 1_2_057654A0
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_05765492 1_2_05765492
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_05766F68 1_2_05766F68
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_0576697A 1_2_0576697A
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_05760040 1_2_05760040
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_05760007 1_2_05760007
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_0576FA90 1_2_0576FA90
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_0576FA81 1_2_0576FA81
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_057E0557 1_2_057E0557
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_057E3BC8 1_2_057E3BC8
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_057E1770 1_2_057E1770
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_057E088F 1_2_057E088F
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_057F0470 1_2_057F0470
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_057F7060 1_2_057F7060
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_057FF843 1_2_057FF843
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_057F9250 1_2_057F9250
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_057F8690 1_2_057F8690
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_057F8680 1_2_057F8680
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_057FB1A0 1_2_057FB1A0
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_057F704F 1_2_057F704F
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_057F9241 1_2_057F9241
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_05800007 1_2_05800007
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_0580E810 1_2_0580E810
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_05800040 1_2_05800040
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_05810418 1_2_05810418
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_05817838 1_2_05817838
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_05819B90 1_2_05819B90
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_058104BB 1_2_058104BB
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_0581E4D9 1_2_0581E4D9
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_0581E4E8 1_2_0581E4E8
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_05810408 1_2_05810408
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_05810910 1_2_05810910
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_0581093A 1_2_0581093A
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_058110E9 1_2_058110E9
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_058110F8 1_2_058110F8
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_05817828 1_2_05817828
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_05819B81 1_2_05819B81
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_05811339 1_2_05811339
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_058112A8 1_2_058112A8
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_05A80006 1_2_05A80006
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_05A80040 1_2_05A80040
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_05A9CE98 1_2_05A9CE98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00DDC080 4_2_00DDC080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00DD6120 4_2_00DD6120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00DDB338 4_2_00DDB338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00DDE441 4_2_00DDE441
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00DD46D9 4_2_00DD46D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00DD97F8 4_2_00DD97F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00DDB7E3 4_2_00DDB7E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00DDF788 4_2_00DDF788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00DD6748 4_2_00DD6748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00DDC761 4_2_00DDC761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00DDBAC0 4_2_00DDBAC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00DDCA41 4_2_00DDCA41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00DDBDA0 4_2_00DDBDA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00DD3570 4_2_00DD3570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00DDB503 4_2_00DDB503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00DDD7F0 4_2_00DDD7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00DDD800 4_2_00DDD800
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_01639AC8 11_2_01639AC8
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_016361E8 11_2_016361E8
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_01636340 11_2_01636340
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_016358E1 11_2_016358E1
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_016358F0 11_2_016358F0
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05DAEC38 11_2_05DAEC38
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05DA6988 11_2_05DA6988
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05DAC5B6 11_2_05DAC5B6
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05DA5493 11_2_05DA5493
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05DA54A0 11_2_05DA54A0
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05DA6F68 11_2_05DA6F68
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05DA6979 11_2_05DA6979
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05DA0040 11_2_05DA0040
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05DA0007 11_2_05DA0007
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05DAFA90 11_2_05DAFA90
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05DAFA81 11_2_05DAFA81
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E20557 11_2_05E20557
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E21770 11_2_05E21770
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E2088F 11_2_05E2088F
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E306B8 11_2_05E306B8
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E37060 11_2_05E37060
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E3F843 11_2_05E3F843
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E39250 11_2_05E39250
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E34791 11_2_05E34791
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E38680 11_2_05E38680
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E38690 11_2_05E38690
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E3B1A0 11_2_05E3B1A0
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E3C0A0 11_2_05E3C0A0
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E3704F 11_2_05E3704F
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E39241 11_2_05E39241
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E40040 11_2_05E40040
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E4E810 11_2_05E4E810
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E40013 11_2_05E40013
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E50418 11_2_05E50418
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E58050 11_2_05E58050
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E504BB 11_2_05E504BB
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E5040A 11_2_05E5040A
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E5C9A0 11_2_05E5C9A0
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E5C9B0 11_2_05E5C9B0
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E5093A 11_2_05E5093A
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E50910 11_2_05E50910
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E510E9 11_2_05E510E9
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E510F8 11_2_05E510F8
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E58041 11_2_05E58041
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E51339 11_2_05E51339
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_05E512A8 11_2_05E512A8
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_060DCE98 11_2_060DCE98
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_060C0006 11_2_060C0006
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_060C0040 11_2_060C0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 12_2_0103DD24 12_2_0103DD24
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_01749AC8 18_2_01749AC8
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_017461E8 18_2_017461E8
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_01746340 18_2_01746340
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_017458F0 18_2_017458F0
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_017458E1 18_2_017458E1
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_0602EC38 18_2_0602EC38
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_06026988 18_2_06026988
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_06026F68 18_2_06026F68
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_06025492 18_2_06025492
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060254A0 18_2_060254A0
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_0602C5B6 18_2_0602C5B6
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_0602FA81 18_2_0602FA81
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_0602FA90 18_2_0602FA90
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_06020006 18_2_06020006
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_06020040 18_2_06020040
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_06026979 18_2_06026979
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060A0557 18_2_060A0557
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060A1770 18_2_060A1770
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060A088F 18_2_060A088F
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060B06B8 18_2_060B06B8
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060B9250 18_2_060B9250
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060BF843 18_2_060BF843
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060B7060 18_2_060B7060
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060B8680 18_2_060B8680
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060B8690 18_2_060B8690
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060B4791 18_2_060B4791
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060B9241 18_2_060B9241
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060B704F 18_2_060B704F
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060BC0A0 18_2_060BC0A0
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060BB1A0 18_2_060BB1A0
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060C001E 18_2_060C001E
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060CE810 18_2_060CE810
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060C0040 18_2_060C0040
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060D0418 18_2_060D0418
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060D8050 18_2_060D8050
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060D040B 18_2_060D040B
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060D04BB 18_2_060D04BB
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060D12A8 18_2_060D12A8
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060D1339 18_2_060D1339
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060D8041 18_2_060D8041
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060D10E9 18_2_060D10E9
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060D10F8 18_2_060D10F8
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060D0910 18_2_060D0910
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060D093A 18_2_060D093A
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060DC9A0 18_2_060DC9A0
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_060DC9B0 18_2_060DC9B0
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_0635CE98 18_2_0635CE98
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_0634001A 18_2_0634001A
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 18_2_06340040 18_2_06340040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_02A0B328 21_2_02A0B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_02A0C190 21_2_02A0C190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_02A06108 21_2_02A06108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_02A0F778 21_2_02A0F778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_02A0C753 21_2_02A0C753
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_02A0E431 21_2_02A0E431
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_02A0C470 21_2_02A0C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_02A04AD9 21_2_02A04AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_02A0CA33 21_2_02A0CA33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_02A06880 21_2_02A06880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_02A09858 21_2_02A09858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_02A0BEB0 21_2_02A0BEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_02A0D7E0 21_2_02A0D7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_02A0D7F0 21_2_02A0D7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_02A03573 21_2_02A03573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_05777588 21_2_05777588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_05777E78 21_2_05777E78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577D1C0 21_2_0577D1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577F8D8 21_2_0577F8D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_05773288 21_2_05773288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_05777D7E 21_2_05777D7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_05770D60 21_2_05770D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577CD68 21_2_0577CD68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_05770D50 21_2_05770D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577CD58 21_2_0577CD58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_05776DF7 21_2_05776DF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577F471 21_2_0577F471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577BC08 21_2_0577BC08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577C4B8 21_2_0577C4B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_057704A0 21_2_057704A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577C4A8 21_2_0577C4A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_05770491 21_2_05770491
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577F480 21_2_0577F480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577E778 21_2_0577E778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577E768 21_2_0577E768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577AF00 21_2_0577AF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577B7B0 21_2_0577B7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577B7A0 21_2_0577B7A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_057777A8 21_2_057777A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577D618 21_2_0577D618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_05776E00 21_2_05776E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577D609 21_2_0577D609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577AEEF 21_2_0577AEEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577DEC8 21_2_0577DEC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577DEB8 21_2_0577DEB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577C910 21_2_0577C910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577C903 21_2_0577C903
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_05770900 21_2_05770900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577D1B0 21_2_0577D1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577C060 21_2_0577C060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577C050 21_2_0577C050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_05770040 21_2_05770040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577F028 21_2_0577F028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577F018 21_2_0577F018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_05770007 21_2_05770007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_057708F0 21_2_057708F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577F8C9 21_2_0577F8C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577B358 21_2_0577B358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577B348 21_2_0577B348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577E320 21_2_0577E320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577E310 21_2_0577E310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577BBF8 21_2_0577BBF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577EBD0 21_2_0577EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577EBC1 21_2_0577EBC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577DA70 21_2_0577DA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_05773278 21_2_05773278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0577DA63 21_2_0577DA63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0665A600 21_2_0665A600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0665BF30 21_2_0665BF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06659FB0 21_2_06659FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0665AC48 21_2_0665AC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06657450 21_2_06657450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06650D48 21_2_06650D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_066585B0 21_2_066585B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0665C580 21_2_0665C580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0665D218 21_2_0665D218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0665B290 21_2_0665B290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06658BF9 21_2_06658BF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0665CBD0 21_2_0665CBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0665B8E0 21_2_0665B8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06655E60 21_2_06655E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06655E70 21_2_06655E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_066536D8 21_2_066536D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06656720 21_2_06656720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0665BF20 21_2_0665BF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06656713 21_2_06656713
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06656FF1 21_2_06656FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06656FF8 21_2_06656FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06659FA0 21_2_06659FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0665743F 21_2_0665743F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0665AC38 21_2_0665AC38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06657CF0 21_2_06657CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06650488 21_2_06650488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06650498 21_2_06650498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0665C570 21_2_0665C570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06650D39 21_2_06650D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06657D00 21_2_06657D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0665A5F0 21_2_0665A5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_066555C0 21_2_066555C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_066585AB 21_2_066585AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_066555B3 21_2_066555B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06655A08 21_2_06655A08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0665D20A 21_2_0665D20A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06655A18 21_2_06655A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_066562C8 21_2_066562C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_066562BB 21_2_066562BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0665B281 21_2_0665B281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06653360 21_2_06653360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06656B69 21_2_06656B69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06656B78 21_2_06656B78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06653350 21_2_06653350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0665CBC0 21_2_0665CBC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_066543D8 21_2_066543D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06650040 21_2_06650040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06652848 21_2_06652848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06652858 21_2_06652858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06650006 21_2_06650006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_066508E1 21_2_066508E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_066508F0 21_2_066508F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_0665B8D0 21_2_0665B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_066578A8 21_2_066578A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06657898 21_2_06657898
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06655140 21_2_06655140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06658148 21_2_06658148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06658158 21_2_06658158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_06655133 21_2_06655133
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 22_2_0184DD24 22_2_0184DD24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_013D6108 26_2_013D6108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_013DC190 26_2_013DC190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_013DB328 26_2_013DB328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_013DE431 26_2_013DE431
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_013DC470 26_2_013DC470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_013DF778 26_2_013DF778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_013DC752 26_2_013DC752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_013D9858 26_2_013D9858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_013D6880 26_2_013D6880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_013DBBB8 26_2_013DBBB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_013DCA32 26_2_013DCA32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_013D4AD9 26_2_013D4AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_013DBEB0 26_2_013DBEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_013D3572 26_2_013D3572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_013DB4F2 26_2_013DB4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_013DD7F0 26_2_013DD7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_013DD7E0 26_2_013DD7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_06887E78 26_2_06887E78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068877A8 26_2_068877A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_06880D60 26_2_06880D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_06883288 26_2_06883288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688DA70 26_2_0688DA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688DEB8 26_2_0688DEB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688DEC8 26_2_0688DEC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688AEEF 26_2_0688AEEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688D609 26_2_0688D609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_06886E00 26_2_06886E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688D618 26_2_0688D618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_06887E37 26_2_06887E37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688B7A0 26_2_0688B7A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688B7B0 26_2_0688B7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688AF00 26_2_0688AF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688E768 26_2_0688E768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688E778 26_2_0688E778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688F480 26_2_0688F480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_06880491 26_2_06880491
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068804A0 26_2_068804A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688C4B8 26_2_0688C4B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688BC08 26_2_0688BC08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688F471 26_2_0688F471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688CD58 26_2_0688CD58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_06880D50 26_2_06880D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688CD68 26_2_0688CD68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688DA63 26_2_0688DA63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_06883278 26_2_06883278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688EBC1 26_2_0688EBC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688EBD0 26_2_0688EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688BBF8 26_2_0688BBF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688E310 26_2_0688E310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688E320 26_2_0688E320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688B348 26_2_0688B348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688B358 26_2_0688B358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688F8C9 26_2_0688F8C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688F8D8 26_2_0688F8D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068808F0 26_2_068808F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_06880007 26_2_06880007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688F018 26_2_0688F018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688F028 26_2_0688F028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_06880040 26_2_06880040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688C050 26_2_0688C050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688C060 26_2_0688C060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688D1B0 26_2_0688D1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688D1C0 26_2_0688D1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_06880900 26_2_06880900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688C903 26_2_0688C903
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_0688C910 26_2_0688C910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068BA600 26_2_068BA600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B9FB0 26_2_068B9FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068BBF30 26_2_068BBF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068BAC48 26_2_068BAC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068BC580 26_2_068BC580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B85B0 26_2_068B85B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B0D48 26_2_068B0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068BB290 26_2_068BB290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068BD218 26_2_068BD218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068BCBD0 26_2_068BCBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B8BF9 26_2_068B8BF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068BB8E0 26_2_068BB8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B36D8 26_2_068B36D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B5E60 26_2_068B5E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B5E70 26_2_068B5E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B9FA0 26_2_068B9FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B6FF8 26_2_068B6FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B6FF1 26_2_068B6FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B6713 26_2_068B6713
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B6720 26_2_068B6720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068BBF20 26_2_068BBF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B0488 26_2_068B0488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B0498 26_2_068B0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B7CF0 26_2_068B7CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B743F 26_2_068B743F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068BAC37 26_2_068BAC37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B7450 26_2_068B7450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B85AB 26_2_068B85AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B55B3 26_2_068B55B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B55C0 26_2_068B55C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068BA5F0 26_2_068BA5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B7D00 26_2_068B7D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B0D39 26_2_068B0D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068BB281 26_2_068BB281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B62BB 26_2_068B62BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B62C8 26_2_068B62C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068BD20B 26_2_068BD20B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B5A08 26_2_068B5A08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B5A18 26_2_068B5A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068BCBC0 26_2_068BCBC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B43D8 26_2_068B43D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B3350 26_2_068B3350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B6B69 26_2_068B6B69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B3360 26_2_068B3360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B6B78 26_2_068B6B78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B7898 26_2_068B7898
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B78A8 26_2_068B78A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068BB8D0 26_2_068BB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B08E1 26_2_068B08E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B08F0 26_2_068B08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B0006 26_2_068B0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B2848 26_2_068B2848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B0040 26_2_068B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B2858 26_2_068B2858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B5133 26_2_068B5133
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B8148 26_2_068B8148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B5140 26_2_068B5140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 26_2_068B8158 26_2_068B8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_02712560 29_2_02712560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0271DD24 29_2_0271DD24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 35_2_0127DD24 35_2_0127DD24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 35_2_051B0006 35_2_051B0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 35_2_051B0040 35_2_051B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 41_2_0130DD24 41_2_0130DD24
One or more processes crash
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1064
PE / OLE file has an invalid certificate
Source: doc1.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: doc1.exe, 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs doc1.exe
Source: doc1.exe, 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs doc1.exe
Source: doc1.exe, 00000001.00000002.2293545434.0000000002BB8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs doc1.exe
Source: doc1.exe, 00000001.00000002.2301644426.0000000003A51000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs doc1.exe
Source: doc1.exe, 00000001.00000002.2293545434.0000000002A51000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs doc1.exe
Source: doc1.exe, 00000001.00000002.2292811799.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs doc1.exe
Source: doc1.exe, 00000001.00000002.2293545434.0000000002C34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs doc1.exe
Source: doc1.exe, 00000001.00000002.2304587014.00000000058C0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs doc1.exe
Source: doc1.exe, 00000001.00000002.2302983125.0000000005230000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameUlsahqrq.dll" vs doc1.exe
Source: doc1.exe, 00000001.00000002.2301644426.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs doc1.exe
Source: doc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs doc1.exe
Uses 32bit PE files
Source: doc1.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: amsi64_3508.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_2188.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_6756.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_2548.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_2744.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_4568.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 1.2.doc1.exe.3c2d068.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.doc1.exe.3c2d068.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.doc1.exe.3c2d068.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.doc1.exe.3c2d068.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 11.2.bosotkm.exe.417bdd0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.bosotkm.exe.417bdd0.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.bosotkm.exe.417bdd0.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.bosotkm.exe.417bdd0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.doc1.exe.3c2d068.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.doc1.exe.3c2d068.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.doc1.exe.3c2d068.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.doc1.exe.3c2d068.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 11.2.bosotkm.exe.417bdd0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.bosotkm.exe.417bdd0.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.bosotkm.exe.417bdd0.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.bosotkm.exe.417bdd0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000001.00000002.2301644426.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.2301644426.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000012.00000002.2615450393.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000012.00000002.2615450393.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000012.00000002.2593909614.0000000003461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000001A.00000002.3442953774.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000001.00000002.2293545434.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.3443050167.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000B.00000002.2514918808.0000000003278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: doc1.exe PID: 6400, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: doc1.exe PID: 6400, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: InstallUtil.exe PID: 5392, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: bosotkm.exe PID: 1864, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: bosotkm.exe PID: 1864, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: bosotkm.exe PID: 1292, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: bosotkm.exe PID: 1292, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: InstallUtil.exe PID: 1596, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: doc1.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: bosotkm.exe.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 1.2.doc1.exe.3acd5b0.2.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 1.2.doc1.exe.3acd5b0.2.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 1.2.doc1.exe.3acd5b0.2.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 1.2.doc1.exe.3acd5b0.2.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 1.2.doc1.exe.3a7d590.5.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 1.2.doc1.exe.3a7d590.5.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 1.2.doc1.exe.3a7d590.5.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 1.2.doc1.exe.3a7d590.5.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 1.2.doc1.exe.3acd5b0.2.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.doc1.exe.3acd5b0.2.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 1.2.doc1.exe.3acd5b0.2.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 1.2.doc1.exe.3acd5b0.2.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 1.2.doc1.exe.3a7d590.5.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.doc1.exe.3acd5b0.2.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 1.2.doc1.exe.3a7d590.5.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 1.2.doc1.exe.3acd5b0.2.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 1.2.doc1.exe.3a7d590.5.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 1.2.doc1.exe.3a7d590.5.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: MSBuild.exe, 00000023.00000002.2865138161.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: inaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb=
Source: MSBuild.exe, 00000029.00000002.3038923676.00000000013FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbsers\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:r
Source: MSBuild.exe, 0000000C.00000002.2458450033.0000000003C99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: MSBuild.exe, 0000000C.00000002.2458450033.0000000003C99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2458450033.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2562731419.000000000154D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2555966193.0000000000FD8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700081075.00000000006F8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2863825564.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038923676.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3036386294.0000000000F58000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: MSBuild.exe, 0000000C.00000002.2457220076.0000000000F43000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb==
Source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb0q
Source: MSBuild.exe, 0000000C.00000002.2458450033.0000000003C99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: *.sln
Source: MSBuild.exe, 0000000C.00000002.2458450033.0000000003C99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: MSBuild.exe, 0000000C.00000002.2458450033.0000000003C99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: /ignoreprojectextensions:.sln
Source: MSBuild.exe, 00000016.00000002.2558663468.00000000014E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb((^
Source: MSBuild.exe, 0000000C.00000002.2458450033.0000000003C99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
Source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: inaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbll
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@59/79@2/4
Source: C:\Users\user\Desktop\doc1.exe File created: C:\Users\user\AppData\Roaming\bosotkm.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3744:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6452
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3524:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4948:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3488:120:WilError_03
Source: C:\Windows\System32\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2496:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2308:120:WilError_03
Source: C:\Windows\System32\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2888:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess400
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4016:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5984
Source: C:\Windows\System32\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3576:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2420
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4896
Source: C:\Windows\System32\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2420:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\PSReadLineHistoryFile_2116847995
Source: C:\Windows\System32\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4632:120:WilError_03
Source: C:\Users\user\Desktop\doc1.exe File created: C:\Users\user\AppData\Local\Temp\msb.vbe Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\fNUATsLGslepRpn.vbs"
Source: doc1.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: doc1.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Users\user\Desktop\doc1.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: InstallUtil.exe, 00000004.00000002.3461729638.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002C8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002C57000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002C39000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3472399164.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3472946076.0000000003C5D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002E4A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002E56000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002E14000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: doc1.exe ReversingLabs: Detection: 52%
Source: C:\Users\user\Desktop\doc1.exe File read: C:\Users\user\Desktop\doc1.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\doc1.exe "C:\Users\user\Desktop\doc1.exe"
Source: C:\Users\user\Desktop\doc1.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msb.vbe"
Source: C:\Users\user\Desktop\doc1.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\fNUATsLGslepRpn.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\bosotkm.exe "C:\Users\user\AppData\Roaming\bosotkm.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1064
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3508" "2808" "2740" "2812" "0" "0" "2816" "0" "0" "0" "0" "0"
Source: unknown Process created: C:\Users\user\AppData\Roaming\bosotkm.exe "C:\Users\user\AppData\Roaming\bosotkm.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 1064
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2188" "2800" "2756" "2804" "0" "0" "2808" "0" "0" "0" "0" "0"
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6756" "2872" "2688" "2876" "0" "0" "2880" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 1064
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2548" "2816" "1512" "2820" "0" "0" "2824" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 1064
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2744" "2812" "2240" "2816" "0" "0" "2820" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\doc1.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msb.vbe" Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 1064 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3508" "2808" "2740" "2812" "0" "0" "2816" "0" "0" "0" "0" "0" Jump to behavior
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2188" "2800" "2756" "2804" "0" "0" "2808" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6756" "2872" "2688" "2876" "0" "0" "2880" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2548" "2816" "1512" "2820" "0" "0" "2824" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2744" "2812" "2240" "2816" "0" "0" "2820" "0" "0" "0" "0" "0"
Source: C:\Users\user\Desktop\doc1.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: winhttpcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdatauser.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdatauser.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wer.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: aepic.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sfc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdatauser.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wer.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: aepic.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sfc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdatauser.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wer.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: aepic.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sfc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Users\user\Desktop\doc1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\doc1.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: doc1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: doc1.exe Static file information: File size 1118840 > 1048576
Source: doc1.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2864210130.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDBJ source: MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2558663468.00000000014CC000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb|) source: MSBuild.exe, 00000029.00000002.3038923676.00000000013E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2558663468.00000000014CC000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2864210130.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\MSBuild.pdbpdbild.pdbH source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\MSBuild.pdbpdbild.pdbS source: MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: doc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.0000000004269000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2864210130.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038923676.00000000013E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: doc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.0000000004269000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb\dp`d source: WERF2AF.tmp.dmp.24.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: inaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb= source: MSBuild.exe, 00000023.00000002.2865138161.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbH source: MSBuild.exe, 00000016.00000002.2558663468.00000000014CC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbYQ source: MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2458450033.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2562731419.000000000154D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2555966193.0000000000FD8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700081075.00000000006F8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2863825564.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038923676.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3036386294.0000000000F58000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbs source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb((^ source: MSBuild.exe, 00000016.00000002.2558663468.00000000014E2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb` source: WERC3B0.tmp.dmp.15.dr
Source: Binary string: \??\C:\Windows\MSBuild.pdb,) source: MSBuild.exe, 00000029.00000002.3038923676.00000000013E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\MSBuild.pdbf source: MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbL} source: MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDB source: MSBuild.exe, 00000023.00000002.2865138161.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbL08w# source: WERF2AF.tmp.dmp.24.dr
Source: Binary string: mscorlib.pdb7 source: WERABFD.tmp.dmp.43.dr
Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdbH source: MSBuild.exe, 00000016.00000002.2558663468.0000000001468000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: doc1.exe, 00000001.00000002.2293545434.0000000002BB8000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2301644426.0000000003A51000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2304587014.00000000058C0000.00000004.08000000.00040000.00000000.sdmp, doc1.exe, 00000001.00000002.2301644426.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2514918808.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2593909614.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2615450393.00000000043AB000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\MSBuild.pdbV source: MSBuild.exe, 00000023.00000002.2864210130.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbw source: MSBuild.exe, 00000023.00000002.2864210130.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2865138161.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: System.Core.pdbMSBuild.exe source: WERC3B0.tmp.dmp.15.dr
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbS source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdb6 source: WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb$ source: MSBuild.exe, 00000023.00000002.2864210130.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDB089 source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb! source: MSBuild.exe, 00000016.00000002.2558663468.0000000001468000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: MSBuild.exe, 00000016.00000002.2558663468.00000000014CC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: ?pnC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2555966193.0000000000FD8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700081075.00000000006F8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2863825564.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3036386294.0000000000F58000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb" source: MSBuild.exe, 00000023.00000002.2865138161.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Drawing.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb3 source: MSBuild.exe, 00000029.00000002.3038113235.0000000001331000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb4 source: WERABFD.tmp.dmp.43.dr, WER2A88.tmp.dmp.31.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb!z source: MSBuild.exe, 00000023.00000002.2864210130.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\MSBuild.pdbV source: MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\MSBuild.pdbS source: MSBuild.exe, 00000023.00000002.2864210130.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbl)B source: MSBuild.exe, 00000029.00000002.3038923676.00000000013E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Accessibility.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: System.pdbxW source: WERF2AF.tmp.dmp.24.dr
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb== source: MSBuild.exe, 0000000C.00000002.2457220076.0000000000F43000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbJ@2 source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS# source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: System.Core.ni.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: osymbols\exe\MSBuild.pdb source: MSBuild.exe, 0000001D.00000002.2700081075.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Drawing.pdb4 source: WERC3B0.tmp.dmp.15.dr
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbsers\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:r source: MSBuild.exe, 00000029.00000002.3038923676.00000000013FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Accessibility.pdbH source: WER69E3.tmp.dmp.37.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbeh source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E71000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038113235.0000000001331000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: HPdn0C:\Windows\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2555966193.0000000000FD8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700081075.00000000006F8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2863825564.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3036386294.0000000000F58000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: MSBuild.exe, 00000016.00000002.2558663468.00000000014CC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDB89 source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: @pn.pdb5w source: MSBuild.exe, 00000023.00000002.2863825564.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: System.ni.pdbRSDS source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: doc1.exe, 00000001.00000002.2293545434.0000000002BB8000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2301644426.0000000003A51000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2304587014.00000000058C0000.00000004.08000000.00040000.00000000.sdmp, doc1.exe, 00000001.00000002.2301644426.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2514918808.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2593909614.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2615450393.00000000043AB000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb~x+h5 source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb089 source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\MSBuild.pdb.x source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: mscorlib.pdbL}f source: MSBuild.exe, 00000016.00000002.2558663468.00000000014CC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\MSBuild.pdbpdbild.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2864210130.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.pdbH source: WER2A88.tmp.dmp.31.dr
Source: Binary string: System.Core.pdb`d source: WERABFD.tmp.dmp.43.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: symbols\exe\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2555966193.0000000000FD8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2863825564.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3036386294.0000000000F58000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: System.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: inaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbll source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Drawing.pdbt source: WERF2AF.tmp.dmp.24.dr
Source: Binary string: System.Windows.Forms.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: System.Drawing.pdbL08w# source: WERABFD.tmp.dmp.43.dr
Source: Binary string: \??\C:\Windows\exe\MSBuild.pdb;h source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E71000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2558663468.0000000001468000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038113235.0000000001331000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\MSBuild.pdbB@* source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: @pn.pdb source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2555966193.0000000000FD8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700081075.00000000006F8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3036386294.0000000000F58000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbn source: MSBuild.exe, 00000023.00000002.2864210130.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb*p source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb0q source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.pdbhWH source: WERF2AF.tmp.dmp.24.dr
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb* source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbd5 source: MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: doc1.exe, Uofmwwt.cs .Net Code: Epzyany System.AppDomain.Load(byte[])
Source: 1.2.doc1.exe.3acd5b0.2.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 1.2.doc1.exe.3acd5b0.2.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 1.2.doc1.exe.3acd5b0.2.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 1.2.doc1.exe.3a7d590.5.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 1.2.doc1.exe.3a7d590.5.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 1.2.doc1.exe.3a7d590.5.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 1.2.doc1.exe.3b1bdd0.3.raw.unpack, Uofmwwt.cs .Net Code: Epzyany System.AppDomain.Load(byte[])
Yara detected Costura Assembly Loader
Source: Yara match File source: 1.2.doc1.exe.56f0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2293545434.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2303816567.00000000056F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2593909614.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2514918808.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: doc1.exe PID: 6400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bosotkm.exe PID: 1864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bosotkm.exe PID: 1292, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_01066330 push esp; retf 1_2_01066331
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_057E5A54 push es; retf 1_2_057E5A57
Source: C:\Users\user\Desktop\doc1.exe Code function: 1_2_0580327C push ebx; iretd 1_2_0580327F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00DD24B9 push 8BFFFFFFh; retf 4_2_00DD24BF
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_016367F7 pushad ; iretd 11_2_016367F9
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_016367D8 pushad ; iretd 11_2_016367DA
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_016367BA pushad ; iretd 11_2_016367BB
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_01636833 pushad ; iretd 11_2_01636834
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_01636814 pushad ; iretd 11_2_01636815
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_01637165 push esi; iretd 11_2_01637166
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_01637142 push esi; iretd 11_2_01637144
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_01637124 push edi; iretd 11_2_01637125
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_01637105 push edi; iretd 11_2_01637106
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_016371EC push esi; iretd 11_2_016371EE
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_016371CD push esi; iretd 11_2_016371CF
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_016371AB push esi; iretd 11_2_016371AD
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_0163705E push edi; iretd 11_2_0163705F
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_016370E5 push edi; iretd 11_2_016370E7
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_016370C1 push edi; iretd 11_2_016370C2
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_01637080 push edi; iretd 11_2_01637081
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_0163709E push edi; iretd 11_2_016370A0
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_01637365 push esp; iretd 11_2_01637367
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_01637343 push esp; iretd 11_2_01637345
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_01637322 push ebp; iretd 11_2_01637323
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_016373F6 push esp; iretd 11_2_016373F8
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_016373D5 push esp; iretd 11_2_016373D6
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_016373AD push esp; iretd 11_2_016373AE
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_01637385 push esp; iretd 11_2_01637386
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_01637273 push ebp; iretd 11_2_01637279
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_0163724E push ebp; iretd 11_2_01637254
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Code function: 11_2_0163720E push esi; iretd 11_2_01637210
Source: doc1.exe Static PE information: section name: .text entropy: 7.920829116713707
Source: bosotkm.exe.1.dr Static PE information: section name: .text entropy: 7.920829116713707

Persistence and Installation Behavior
barindex
Windows Shell Script Host drops VBS files
Source: C:\Windows\SysWOW64\wscript.exe File created: C:\Users\user\AppData\Roaming\fNUATsLGslepRpn.vbs Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\doc1.exe File created: C:\Users\user\AppData\Roaming\bosotkm.exe Jump to dropped file
Source: C:\Users\user\Desktop\doc1.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bosotkm Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bosotkm Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: doc1.exe PID: 6400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bosotkm.exe PID: 1864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bosotkm.exe PID: 1292, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: doc1.exe, 00000001.00000002.2293545434.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2514918808.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2593909614.00000000032E1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\doc1.exe Memory allocated: 1060000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Memory allocated: 2A50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Memory allocated: 4A50000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: DD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2A10000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2840000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Memory allocated: 15F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Memory allocated: 30B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Memory allocated: 50B0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 1030000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2C90000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2AC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Memory allocated: 1740000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Memory allocated: 32E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Memory allocated: 52E0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2A00000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2BD0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 4BD0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 17F0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 3130000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 5130000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 13D0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2E50000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 4E50000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 26B0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2730000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 4730000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 1270000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2D00000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2C20000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 1300000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2F40000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2D80000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599563 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599447 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599338 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599231 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598898 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598790 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598687 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598016 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596083 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595953 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594513 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594181 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594055 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593924 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593793 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593391 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593281 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593172 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593059 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599871
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599421
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599201
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599093
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598973
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598852
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598203
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597524
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597133
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596593
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596266
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594933
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594426
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594139
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599233
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597921
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597605
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597499
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596921
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596593
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596374
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595936
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595827
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595146
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594843
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594624
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594515
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594281
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 4725 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 5088 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5244 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4604 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6501
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 4991
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 4844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 4640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 5201
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5364
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4319
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6433
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3192
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6728
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2907
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6732
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2883
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5174
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 763
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\wscript.exe TID: 2744 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 2832 Thread sleep time: -90000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -33204139332677172s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1944 Thread sleep count: 4725 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -599890s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1944 Thread sleep count: 5088 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -599781s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -599672s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -599563s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -599447s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -599338s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -599231s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -598898s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -598790s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -598687s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -598578s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -598469s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -598344s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -598234s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -598125s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -598016s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -597906s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -597797s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -597688s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -597547s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -597422s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -597313s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -597188s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -597078s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -596969s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -596844s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -596735s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -596610s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -596083s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -595953s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -595844s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -595735s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -595610s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -595485s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -595360s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -595235s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -595110s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -594985s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -594860s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -594734s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -594625s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -594513s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -594406s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -594297s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -594181s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -594055s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -593924s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -593793s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -593391s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -593281s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -593172s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032 Thread sleep time: -593059s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2448 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6844 Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep count: 43 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -39660499758475511s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2812 Thread sleep count: 4991 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -599871s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -599750s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -599640s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6404 Thread sleep count: 4844 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -599531s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -599421s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -599312s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -599201s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -599093s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -598973s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -598852s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -598750s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -598640s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -598531s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -598422s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -598312s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -598203s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -598094s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -597969s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -597859s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -597750s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -597641s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -597524s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -597420s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -597297s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -597133s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -597031s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -596922s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -596812s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -596703s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -596593s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -596484s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -596375s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -596266s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -596141s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -596031s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -595922s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -595812s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -595703s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -595594s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -595484s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -595375s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -595265s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -595156s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -595046s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -594933s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -594828s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -594716s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -594426s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -594281s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744 Thread sleep time: -594139s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep count: 40 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -36893488147419080s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3780 Thread sleep count: 4640 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -599890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3780 Thread sleep count: 5201 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -599781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -599671s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -599562s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -599453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -599343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -599233s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -599124s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -599015s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -598906s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -598796s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -598687s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -598577s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -598468s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -598358s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -598248s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -598140s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -598030s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -597921s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -597718s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -597605s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -597499s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -597390s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -597281s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -597160s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -597031s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -596921s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -596812s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -596703s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -596593s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -596484s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -596374s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -596265s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -596155s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -596046s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -595936s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -595827s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -595718s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -595609s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -595496s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -595375s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -595265s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -595146s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -594960s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -594843s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -594734s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -594624s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -594515s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -594406s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840 Thread sleep time: -594281s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4232 Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3656 Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2052 Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5256 Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2100 Thread sleep count: 5174 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2144 Thread sleep count: 763 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6468 Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6468 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6480 Thread sleep time: -30000s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599563 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599447 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599338 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599231 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598898 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598790 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598687 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598016 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596083 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595953 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594513 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594181 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594055 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593924 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593793 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593391 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593281 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593172 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 593059 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599871
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599421
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599201
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599093
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598973
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598852
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598203
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597524
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597133
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596593
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596266
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594933
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594426
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594139
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599233
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597921
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597605
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597499
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596921
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596593
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596374
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595936
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595827
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595146
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594843
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594624
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594515
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594281
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: doc1.exe, 00000001.00000002.2303581232.0000000005612000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000003.00000003.2323886447.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2326637032.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2328065250.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329661615.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2311543486.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2303245791.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW2
Source: bosotkm.exe, 00000012.00000002.2593909614.00000000032E1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: wscript.exe, 00000003.00000003.2323886447.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2326637032.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2328065250.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329661615.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327596611.0000000000B9F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324169500.0000000000B9F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2311543486.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2303245791.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2303011239.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2328293123.0000000000B9F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2325315975.0000000000B9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: InstallUtil.exe, 0000001A.00000002.3446787487.0000000001147000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlles C/
Source: bosotkm.exe, 00000012.00000002.2593909614.00000000032E1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: wscript.exe, 00000005.00000003.2384565726.00000198522E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: InstallUtil.exe, 00000015.00000002.3450204608.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
Source: InstallUtil.exe, 00000004.00000002.3445132383.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\doc1.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process queried: DebugPort
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 21_2_05777588 LdrInitializeThunk, 21_2_05777588
Enables debug privileges
Source: C:\Users\user\Desktop\doc1.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\wscript.exe Network Connect: 144.91.79.54 80 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\doc1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9D0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1210000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 700000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9D0000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F80000 value starts with: 4D5A
Writes to foreign memory regions
Source: C:\Users\user\Desktop\doc1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 422000 Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 424000 Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 702008 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9D0000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9D2000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9E4000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9E6000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: A85008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 422000
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 424000
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: B49008
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 422000
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 424000
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: D93008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1210000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1212000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1224000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1226000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1054008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 700000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 702000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 714000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 716000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 47A008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9D0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9D2000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9E4000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9E6000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BAD008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F80000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F82000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F94000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F96000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D53008
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\doc1.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msb.vbe" Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 1064 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3508" "2808" "2740" "2812" "0" "0" "2816" "0" "0" "0" "0" "0" Jump to behavior
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2188" "2800" "2756" "2804" "0" "0" "2808" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6756" "2872" "2688" "2876" "0" "0" "2880" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2548" "2816" "1512" "2820" "0" "0" "2824" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2744" "2812" "2240" "2816" "0" "0" "2820" "0" "0" "0" "0" "0"
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\doc1.exe Queries volume information: C:\Users\user\Desktop\doc1.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\doc1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Queries volume information: C:\Users\user\AppData\Roaming\bosotkm.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Queries volume information: C:\Users\user\AppData\Roaming\bosotkm.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\bosotkm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\doc1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Clipboard Hijacker
Source: Yara match File source: 12.2.MSBuild.exe.9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.2456553798.00000000009D2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 4896, type: MEMORYSTR
Yara detected Snake Keylogger
Source: Yara match File source: 21.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.doc1.exe.3c2d068.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.bosotkm.exe.417bdd0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.doc1.exe.3c2d068.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.bosotkm.exe.417bdd0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2301644426.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3461729638.0000000002BCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2615450393.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2593909614.0000000003461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3442856723.000000000041A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2293545434.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3460895487.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3443050167.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3460956266.000000000301B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2514918808.0000000003278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3461729638.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3460895487.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3460956266.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: doc1.exe PID: 6400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5392, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bosotkm.exe PID: 1864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bosotkm.exe PID: 1292, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 1596, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: 1.2.doc1.exe.3c2d068.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.bosotkm.exe.417bdd0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.doc1.exe.3c2d068.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.bosotkm.exe.417bdd0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2301644426.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2615450393.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2593909614.0000000003461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2293545434.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3443050167.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2514918808.0000000003278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: doc1.exe PID: 6400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5392, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bosotkm.exe PID: 1864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bosotkm.exe PID: 1292, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 1596, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 21.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.doc1.exe.3c2d068.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.bosotkm.exe.417bdd0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.doc1.exe.3c2d068.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.bosotkm.exe.417bdd0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2301644426.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3461729638.0000000002BCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2615450393.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2593909614.0000000003461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3442856723.000000000041A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2293545434.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3460895487.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3443050167.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3460956266.000000000301B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2514918808.0000000003278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3461729638.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3460895487.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3460956266.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: doc1.exe PID: 6400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5392, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bosotkm.exe PID: 1864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bosotkm.exe PID: 1292, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 1596, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500036 Sample: doc1.exe Startdate: 27/08/2024 Architecture: WINDOWS Score: 100 77 reallyfreegeoip.org 2->77 79 checkip.dyndns.org 2->79 81 3 other IPs or domains 2->81 89 Found malware configuration 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 Multi AV Scanner detection for submitted file 2->93 97 14 other signatures 2->97 9 wscript.exe 1 2->9         started        12 doc1.exe 4 6 2->12         started        15 bosotkm.exe 2->15         started        17 3 other processes 2->17 signatures3 95 Tries to detect the country of the analysis system (by using the IP) 77->95 process4 dnsIp5 113 Wscript starts Powershell (via cmd or directly) 9->113 115 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->115 117 Suspicious execution chain found 9->117 20 powershell.exe 43 9->20         started        23 powershell.exe 9->23         started        25 powershell.exe 9->25         started        37 4 other processes 9->37 67 C:\Users\user\AppData\Roaming\bosotkm.exe, PE32 12->67 dropped 69 C:\Users\user\...\bosotkm.exe:Zone.Identifier, ASCII 12->69 dropped 71 C:\Users\user\AppData\Local\Temp\msb.vbe, data 12->71 dropped 119 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->119 121 Writes to foreign memory regions 12->121 123 Injects a PE file into a foreign processes 12->123 27 wscript.exe 15 1 12->27         started        31 InstallUtil.exe 15 2 12->31         started        125 Multi AV Scanner detection for dropped file 15->125 33 InstallUtil.exe 15->33         started        75 127.0.0.1 unknown unknown 17->75 35 InstallUtil.exe 17->35         started        file6 signatures7 process8 dnsIp9 99 Writes to foreign memory regions 20->99 101 Injects a PE file into a foreign processes 20->101 39 MSBuild.exe 20->39         started        49 2 other processes 20->49 41 MSBuild.exe 23->41         started        51 2 other processes 23->51 43 MSBuild.exe 25->43         started        53 2 other processes 25->53 83 144.91.79.54, 49715, 49718, 80 CONTABODE Germany 27->83 73 C:\Users\user\AppData\...\fNUATsLGslepRpn.vbs, ISO-8859 27->73 dropped 103 System process connects to network (likely due to code injection or exploit) 27->103 105 Windows Shell Script Host drops VBS files 27->105 107 Windows Scripting host queries suspicious COM object (likely to drop second stage) 27->107 85 reallyfreegeoip.org 188.114.97.3, 443, 49717, 49721 CLOUDFLARENETUS European Union 31->85 87 checkip.dyndns.com 158.101.44.242, 49716, 49723, 49727 ORACLE-BMC-31898US United States 31->87 109 Tries to steal Mail credentials (via file / registry access) 35->109 111 Tries to harvest and steal browser information (history, passwords, etc) 35->111 45 MSBuild.exe 37->45         started        47 MSBuild.exe 37->47         started        55 6 other processes 37->55 file10 signatures11 process12 process13 57 WerFault.exe 39->57         started        59 WerFault.exe 41->59         started        61 WerFault.exe 43->61         started        63 WerFault.exe 45->63         started        65 WerFault.exe 47->65         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
144.91.79.54
 unknown Germany
51167 CONTABODE true
188.114.97.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
158.101.44.242
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.97.3 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true
checkip.dyndns.com 158.101.44.242 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://reallyfreegeoip.org/xml/8.46.123.33 false
  • URL Reputation: safe
 unknown
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown